Analysis
-
max time kernel
151s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
24-09-2021 21:55
Static task
static1
Behavioral task
behavioral1
Sample
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe
Resource
win10v20210408
General
-
Target
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe
-
Size
286KB
-
MD5
68ea7b6eb8bd48a2606c8cf073867a83
-
SHA1
ec78be2637220d1b6572a9db7b6cd8284fd1b2a4
-
SHA256
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a
-
SHA512
040c0c67c858059bf801a7a4b8f6b82fe89ce053b0654d098f3ecefba3f0a82539251e508c888dc54d6e16b8174089891d997a5d03df1cdc5bf41f58804496ac
Malware Config
Extracted
smokeloader
2020
http://naghenrietti1.top/
http://kimballiett2.top/
http://xadriettany3.top/
http://jebeccallis4.top/
http://nityanneron5.top/
http://umayaniela6.top/
http://lynettaram7.top/
http://sadineyalas8.top/
http://geenaldencia9.top/
http://aradysiusep10.top/
Extracted
redline
700$
65.21.231.57:60751
Extracted
redline
178.132.3.103:80
Extracted
raccoon
f6d7183c9e82d2a9b81e6c0608450aa66cefb51f
-
url4cnc
https://t.me/justoprostohello
Extracted
redline
2k superstar
185.244.180.224:39957
Extracted
raccoon
d4d8e30c16491ca1c11f7aa675764335342faedf
-
url4cnc
https://t.me/hcdrom1
Extracted
raccoon
5ff0ccb2bc00dc52d1ad09949e9c7663bc9ca4d4
-
url4cnc
https://t.me/agrybirdsgamerept
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/3748-132-0x0000000000540000-0x0000000000562000-memory.dmp family_redline behavioral1/memory/3748-137-0x000000000055C5CA-mapping.dmp family_redline behavioral1/memory/2060-146-0x0000000002170000-0x000000000218F000-memory.dmp family_redline behavioral1/memory/2060-153-0x0000000002490000-0x00000000024AE000-memory.dmp family_redline behavioral1/memory/3424-186-0x00000000048B0000-0x00000000048CF000-memory.dmp family_redline behavioral1/memory/3424-188-0x0000000004B60000-0x0000000004B7E000-memory.dmp family_redline -
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
-
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
Processes:
D9F0.exeDDB9.exeEE54.exeF7DB.exeFF1F.exe7DB.exe129A.exe1829.exej130t6D6Pk.exesihost.exepid process 2060 D9F0.exe 2656 DDB9.exe 3956 EE54.exe 3188 F7DB.exe 3424 FF1F.exe 648 7DB.exe 3600 129A.exe 2692 1829.exe 4524 j130t6D6Pk.exe 4192 sihost.exe -
Modifies RDP port number used by Windows 1 TTPs
-
Sets DLL path for service in the registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
129A.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 129A.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 129A.exe -
Deletes itself 1 IoCs
Processes:
pid process 2428 -
Drops startup file 1 IoCs
Processes:
7DB.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7DB.vbs 7DB.exe -
Loads dropped DLL 6 IoCs
Processes:
F7DB.exepid process 3188 F7DB.exe 3188 F7DB.exe 3188 F7DB.exe 3188 F7DB.exe 3188 F7DB.exe 3188 F7DB.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
7DB.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\7DB = "\"C:\\Users\\Admin\\AppData\\Roaming\\7DB.exe\"" 7DB.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
129A.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 129A.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\SysWOW64\rdpclip.exe powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
129A.exepid process 3600 129A.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exeDDB9.exedescription pid process target process PID 632 set thread context of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe PID 2656 set thread context of 3748 2656 DDB9.exe RegSvcs.exe -
Drops file in Windows directory 8 IoCs
Processes:
powershell.exedescription ioc process File created C:\Windows\branding\wupsvc.jpg powershell.exe File opened for modification C:\Windows\branding\Basebrd powershell.exe File opened for modification C:\Windows\branding\ShellBrd powershell.exe File opened for modification C:\Windows\branding\mediasrv.png powershell.exe File opened for modification C:\Windows\branding\mediasvc.png powershell.exe File opened for modification C:\Windows\branding\wupsvc.jpg powershell.exe File created C:\Windows\branding\mediasrv.png powershell.exe File created C:\Windows\branding\mediasvc.png powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4692 schtasks.exe 4236 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4588 timeout.exe -
Modifies registry class 2 IoCs
Processes:
description ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance -
Modifies registry key 1 TTPs 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exepid process 804 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 804 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 2428 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2428 -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid process 616 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exepid process 804 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exeD9F0.exeRegSvcs.exeFF1F.exe7DB.exedescription pid process Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeDebugPrivilege 2116 powershell.exe Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeDebugPrivilege 2060 D9F0.exe Token: SeDebugPrivilege 3748 RegSvcs.exe Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeDebugPrivilege 3424 FF1F.exe Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeDebugPrivilege 648 7DB.exe Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 Token: SeCreatePagefilePrivilege 2428 Token: SeShutdownPrivilege 2428 -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
pid process 2428 2428 2428 2428 2428 2428 -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
pid process 2428 2428 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exeDDB9.exeEE54.exepowershell.execsc.exeF7DB.execmd.exej130t6D6Pk.exedescription pid process target process PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe PID 632 wrote to memory of 804 632 e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe PID 2428 wrote to memory of 2060 2428 D9F0.exe PID 2428 wrote to memory of 2060 2428 D9F0.exe PID 2428 wrote to memory of 2060 2428 D9F0.exe PID 2428 wrote to memory of 2656 2428 DDB9.exe PID 2428 wrote to memory of 2656 2428 DDB9.exe PID 2428 wrote to memory of 2656 2428 DDB9.exe PID 2428 wrote to memory of 3956 2428 EE54.exe PID 2428 wrote to memory of 3956 2428 EE54.exe PID 2428 wrote to memory of 3956 2428 EE54.exe PID 2656 wrote to memory of 3748 2656 DDB9.exe RegSvcs.exe PID 2656 wrote to memory of 3748 2656 DDB9.exe RegSvcs.exe PID 2656 wrote to memory of 3748 2656 DDB9.exe RegSvcs.exe PID 2656 wrote to memory of 3748 2656 DDB9.exe RegSvcs.exe PID 2656 wrote to memory of 3748 2656 DDB9.exe RegSvcs.exe PID 2428 wrote to memory of 3188 2428 F7DB.exe PID 2428 wrote to memory of 3188 2428 F7DB.exe PID 2428 wrote to memory of 3188 2428 F7DB.exe PID 2428 wrote to memory of 3424 2428 FF1F.exe PID 2428 wrote to memory of 3424 2428 FF1F.exe PID 2428 wrote to memory of 3424 2428 FF1F.exe PID 2428 wrote to memory of 648 2428 7DB.exe PID 2428 wrote to memory of 648 2428 7DB.exe PID 2428 wrote to memory of 3600 2428 129A.exe PID 2428 wrote to memory of 3600 2428 129A.exe PID 2428 wrote to memory of 3600 2428 129A.exe PID 2428 wrote to memory of 2692 2428 1829.exe PID 2428 wrote to memory of 2692 2428 1829.exe PID 2428 wrote to memory of 2692 2428 1829.exe PID 3956 wrote to memory of 2116 3956 EE54.exe powershell.exe PID 3956 wrote to memory of 2116 3956 EE54.exe powershell.exe PID 3956 wrote to memory of 2116 3956 EE54.exe powershell.exe PID 2116 wrote to memory of 4316 2116 powershell.exe csc.exe PID 2116 wrote to memory of 4316 2116 powershell.exe csc.exe PID 2116 wrote to memory of 4316 2116 powershell.exe csc.exe PID 4316 wrote to memory of 4420 4316 csc.exe cvtres.exe PID 4316 wrote to memory of 4420 4316 csc.exe cvtres.exe PID 4316 wrote to memory of 4420 4316 csc.exe cvtres.exe PID 3188 wrote to memory of 4524 3188 F7DB.exe j130t6D6Pk.exe PID 3188 wrote to memory of 4524 3188 F7DB.exe j130t6D6Pk.exe PID 3188 wrote to memory of 4524 3188 F7DB.exe j130t6D6Pk.exe PID 3188 wrote to memory of 4548 3188 F7DB.exe cmd.exe PID 3188 wrote to memory of 4548 3188 F7DB.exe cmd.exe PID 3188 wrote to memory of 4548 3188 F7DB.exe cmd.exe PID 4548 wrote to memory of 4588 4548 cmd.exe timeout.exe PID 4548 wrote to memory of 4588 4548 cmd.exe timeout.exe PID 4548 wrote to memory of 4588 4548 cmd.exe timeout.exe PID 4524 wrote to memory of 4692 4524 j130t6D6Pk.exe schtasks.exe PID 4524 wrote to memory of 4692 4524 j130t6D6Pk.exe schtasks.exe PID 4524 wrote to memory of 4692 4524 j130t6D6Pk.exe schtasks.exe PID 2116 wrote to memory of 4776 2116 powershell.exe powershell.exe PID 2116 wrote to memory of 4776 2116 powershell.exe powershell.exe PID 2116 wrote to memory of 4776 2116 powershell.exe powershell.exe PID 2116 wrote to memory of 3716 2116 powershell.exe powershell.exe PID 2116 wrote to memory of 3716 2116 powershell.exe powershell.exe PID 2116 wrote to memory of 3716 2116 powershell.exe powershell.exe PID 2116 wrote to memory of 4528 2116 powershell.exe powershell.exe PID 2116 wrote to memory of 4528 2116 powershell.exe powershell.exe PID 2116 wrote to memory of 4528 2116 powershell.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"C:\Users\Admin\AppData\Local\Temp\e498ee51d574ae0719fee5da8afb627adc25b946c179815904a65ad4364d0c4a.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:804
-
C:\Users\Admin\AppData\Local\Temp\D9F0.exeC:\Users\Admin\AppData\Local\Temp\D9F0.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
C:\Users\Admin\AppData\Local\Temp\DDB9.exeC:\Users\Admin\AppData\Local\Temp\DDB9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3748
-
C:\Users\Admin\AppData\Local\Temp\EE54.exeC:\Users\Admin\AppData\Local\Temp\EE54.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1ez5qfc3\1ez5qfc3.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES425E.tmp" "c:\Users\Admin\AppData\Local\Temp\1ez5qfc3\CSCFB9CD46ACCC74A099EECC47747E335D2.TMP"4⤵PID:4420
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵PID:4776
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵PID:3716
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile3⤵PID:4528
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f3⤵PID:1836
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f3⤵
- Modifies registry key
PID:4716 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f3⤵PID:4588
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add3⤵PID:4572
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add4⤵PID:3692
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr3⤵PID:4892
-
C:\Windows\SysWOW64\cmd.execmd /c net start rdpdr4⤵PID:4936
-
C:\Windows\SysWOW64\net.exenet start rdpdr5⤵PID:5028
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start rdpdr6⤵PID:5052
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService3⤵PID:5080
-
C:\Windows\SysWOW64\cmd.execmd /c net start TermService4⤵PID:5096
-
C:\Windows\SysWOW64\net.exenet start TermService5⤵PID:5112
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start TermService6⤵PID:4900
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f3⤵PID:5004
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f3⤵PID:4432
-
C:\Users\Admin\AppData\Local\Temp\F7DB.exeC:\Users\Admin\AppData\Local\Temp\F7DB.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3188 -
C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe"C:\Users\Admin\AppData\Local\Temp\j130t6D6Pk.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4524 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"3⤵
- Creates scheduled task(s)
PID:4692 -
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F7DB.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
PID:4588
-
C:\Users\Admin\AppData\Local\Temp\FF1F.exeC:\Users\Admin\AppData\Local\Temp\FF1F.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424
-
C:\Users\Admin\AppData\Local\Temp\7DB.exeC:\Users\Admin\AppData\Local\Temp\7DB.exe1⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:648
-
C:\Users\Admin\AppData\Local\Temp\129A.exeC:\Users\Admin\AppData\Local\Temp\129A.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3600
-
C:\Users\Admin\AppData\Local\Temp\1829.exeC:\Users\Admin\AppData\Local\Temp\1829.exe1⤵
- Executes dropped EXE
PID:2692
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe1⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sihost.exe"2⤵
- Creates scheduled task(s)
PID:4236
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
f3068198b62b4b70404ec46694d632be
SHA17b0b31ae227cf2a78cb751573a9d07f755104ea0
SHA256bd0fab28319be50795bd6aa9692742ba12539b136036acce2e0403f10a779fc8
SHA512ef285a93898a9436219540f247beb52da69242d05069b3f50d1761bb956ebb8468aeaeadcb87dd7a09f5039c479a31f313c83c4a63c2b2f789f1fe55b4fa9795
-
MD5
80950391f894f81ef75eaecbd50747f4
SHA101488b302cd42243826f8f34d147071a73f39061
SHA256cc5a84ba775fa7d79b15b3903899aca266f179bd4d630b4bd8c47d5fec08bd89
SHA51222a6b41acd437088b006f959dc29a95be6965d0ca7eda9184227c03b9a9581e27df436620642474150af4917f7a2ddf7eef8c795ef929c0b996e1348cf659f37
-
MD5
80950391f894f81ef75eaecbd50747f4
SHA101488b302cd42243826f8f34d147071a73f39061
SHA256cc5a84ba775fa7d79b15b3903899aca266f179bd4d630b4bd8c47d5fec08bd89
SHA51222a6b41acd437088b006f959dc29a95be6965d0ca7eda9184227c03b9a9581e27df436620642474150af4917f7a2ddf7eef8c795ef929c0b996e1348cf659f37
-
MD5
885cb6e5ebea328d840713882a7ff412
SHA17a8f0cfa23054e9bf2a16222d9a02aa80546d55a
SHA2568705fa55cba407024395f636436eb29457d26c954ea2d581d0d19afade1ee3ea
SHA512084ef9ba8ad7a594a30545b2214328863903167a433052954f47efb3f8041e135cd40a4441e7172563647deb66fff93a3543960456d07e21a5f22f3d96d613a3
-
MD5
885cb6e5ebea328d840713882a7ff412
SHA17a8f0cfa23054e9bf2a16222d9a02aa80546d55a
SHA2568705fa55cba407024395f636436eb29457d26c954ea2d581d0d19afade1ee3ea
SHA512084ef9ba8ad7a594a30545b2214328863903167a433052954f47efb3f8041e135cd40a4441e7172563647deb66fff93a3543960456d07e21a5f22f3d96d613a3
-
MD5
d11ed022e97ee096323415b0758c87e1
SHA1d4325947361a91d970736bfb43425957b413fc5a
SHA256e9d7f299d61036534c723a6f9a0ff5f665526d3bc948070c051a3bd8b21b8f91
SHA51264f5504e234d934df5e24a72bc6f84f4fc6c79d3722d03275b2680234102bbdc4d8c43d4b891e50f5eb412fe57da3b5d8d2721d7d1b551c91fd55d319eec4835
-
MD5
0a465be9c75469e6f2398b2668a2c5f2
SHA19b610498a08345fe3280b6c79ed4b5d1945d6a79
SHA256eca0040a928bb7f215b2379bf40b65397d4ead565ab8ad9a19c61740228e9f33
SHA512eaa28aafc65e1d847f292e9e43279913b737bfb6649758548df11ebbb3de7c8c6c8e0568091b7f4261feea14a63e2dac68cb7bc1c4c0c1ef517a14f6a02873c9
-
MD5
0a465be9c75469e6f2398b2668a2c5f2
SHA19b610498a08345fe3280b6c79ed4b5d1945d6a79
SHA256eca0040a928bb7f215b2379bf40b65397d4ead565ab8ad9a19c61740228e9f33
SHA512eaa28aafc65e1d847f292e9e43279913b737bfb6649758548df11ebbb3de7c8c6c8e0568091b7f4261feea14a63e2dac68cb7bc1c4c0c1ef517a14f6a02873c9
-
MD5
c7a74664f4ddb6997ae6ea6dac763b1d
SHA177eed13dfc9f45ed52343026b1705935912ebd32
SHA2567f3a1c052e2eb53fac9791aa61c961f701e287598246a4231ac6dd670180a682
SHA5120c2b2a701166b8b091b0d92c2aac053f73e4ff994b09712f66a8bfa754fb8d9ce55ebaa6d6e71db6de26047df56ff322808725c60b21ccbf303ae9b209409b69
-
MD5
c7a74664f4ddb6997ae6ea6dac763b1d
SHA177eed13dfc9f45ed52343026b1705935912ebd32
SHA2567f3a1c052e2eb53fac9791aa61c961f701e287598246a4231ac6dd670180a682
SHA5120c2b2a701166b8b091b0d92c2aac053f73e4ff994b09712f66a8bfa754fb8d9ce55ebaa6d6e71db6de26047df56ff322808725c60b21ccbf303ae9b209409b69
-
MD5
66418c1bbdff03a57d27110d51372efc
SHA1a60da2e4052136b89a2d1f8c8a80f5694700f9da
SHA256f5b28d8533842deac03a82b2f72bcf1d4b72a4aad1445b53558a3b01f7ef4c90
SHA512dcf1e46c62e4db49b069866fd0ce50cd612e13a979f4bfe5ac78ccf6ac6b91850f3fa79c644409248d08d98ff4536422d2842ce04f3061edd0c2effde8e61875
-
MD5
66418c1bbdff03a57d27110d51372efc
SHA1a60da2e4052136b89a2d1f8c8a80f5694700f9da
SHA256f5b28d8533842deac03a82b2f72bcf1d4b72a4aad1445b53558a3b01f7ef4c90
SHA512dcf1e46c62e4db49b069866fd0ce50cd612e13a979f4bfe5ac78ccf6ac6b91850f3fa79c644409248d08d98ff4536422d2842ce04f3061edd0c2effde8e61875
-
MD5
90016ecad97ba699b5c10829b6f5e192
SHA12850da5bc078de19f2bbb074bacb831a79dcbd8a
SHA256bf75c5d542560ffdc9ba7014234b2eca31e0430fab759c105df26cd12633c2cb
SHA512cc8ee80b561661b33300450ad30e4c6d7d796ee139c949dcd44af6d58f7d584de2679585580ea6a366176c02ac1ada3d138423cf8fa44c7f067e0ac356ba360e
-
MD5
90016ecad97ba699b5c10829b6f5e192
SHA12850da5bc078de19f2bbb074bacb831a79dcbd8a
SHA256bf75c5d542560ffdc9ba7014234b2eca31e0430fab759c105df26cd12633c2cb
SHA512cc8ee80b561661b33300450ad30e4c6d7d796ee139c949dcd44af6d58f7d584de2679585580ea6a366176c02ac1ada3d138423cf8fa44c7f067e0ac356ba360e
-
MD5
5b96ce58bdd42fdc450774f7f0caf252
SHA1bd7469ff305d7cab6e172616b9e5e5f42a614955
SHA256198cd83ea6deafe4d242e7707c47ebbbec04c5debc90cc94f58fe0b2a60f723b
SHA5124e80e6825502b7d3566b7ecc8e18d855663c4a2934c4a1a4c762bbb6a72ee90474abb860b90985cf1ad069e8159144d616528be2315f4baca2aa74011722cfe1
-
MD5
5b96ce58bdd42fdc450774f7f0caf252
SHA1bd7469ff305d7cab6e172616b9e5e5f42a614955
SHA256198cd83ea6deafe4d242e7707c47ebbbec04c5debc90cc94f58fe0b2a60f723b
SHA5124e80e6825502b7d3566b7ecc8e18d855663c4a2934c4a1a4c762bbb6a72ee90474abb860b90985cf1ad069e8159144d616528be2315f4baca2aa74011722cfe1
-
MD5
4266f72b05afa83f395e890b76eadf69
SHA1489386ba56760821f6e35712028410da476fe258
SHA2566b1e04d8ef0395166da7d784c80ec3b8e85593ec862e54c07976ef14b28c70e4
SHA512a375f17bc9283e7edb8f492d616ec3f192d9943251a4323138c99b565dbb03a5734b4116b7b47830680dea16713155cb96e51ea32ce96f479c48e9bd0bb9556a
-
MD5
4266f72b05afa83f395e890b76eadf69
SHA1489386ba56760821f6e35712028410da476fe258
SHA2566b1e04d8ef0395166da7d784c80ec3b8e85593ec862e54c07976ef14b28c70e4
SHA512a375f17bc9283e7edb8f492d616ec3f192d9943251a4323138c99b565dbb03a5734b4116b7b47830680dea16713155cb96e51ea32ce96f479c48e9bd0bb9556a
-
MD5
0a78770ffd84db91fc4399d6c7f1374d
SHA1644d8aa06e7e1f4ec40b12e175ca99c93ecdeb69
SHA256b0c74dd84e7c993ca55e8250eb87e5e3cf5252a951e8026a50ca96813e10c801
SHA512727bbccfe7df0cd175d63678fbff70a109d4d94c8d1443b8485e56619d966b99b7140930f5b6688547d1bcfb6c212330875a30e50c0196f32130ec09b1ddd503
-
MD5
794bf0ae26a7efb0c516cf4a7692c501
SHA1c8f81d0ddd4d360dcbe0814a04a86748f99c6ff2
SHA25697753653d52aaa961e4d1364b5b43551c76da9bb19e12f741bd67c986259e825
SHA51220c97972a1256375157f82a859ce4936613fe109d54c63bbec25734edc3a567ca976b342a21ef5f25571b3c1959afe618ad9f9f17a817cfd731d1504541b1a75
-
MD5
22515d004bd22ea234d89e302e533c0d
SHA13ec604ae165b59a8ed0dec0525cfa1b27468f82d
SHA25656123d686dd57a13ef31841d482fbf5fec60203fae69b270ee550bed5c01f1c2
SHA512f47a339799c0de2bb8cc8ea9609af16f2ee12da7a4b8c4d4f785832b3ab64e8af4dcbe8ababeda9aeb026ce920b30cdf0094cbe385f7c307d39013eb8a22ed25
-
MD5
22515d004bd22ea234d89e302e533c0d
SHA13ec604ae165b59a8ed0dec0525cfa1b27468f82d
SHA25656123d686dd57a13ef31841d482fbf5fec60203fae69b270ee550bed5c01f1c2
SHA512f47a339799c0de2bb8cc8ea9609af16f2ee12da7a4b8c4d4f785832b3ab64e8af4dcbe8ababeda9aeb026ce920b30cdf0094cbe385f7c307d39013eb8a22ed25
-
MD5
28d9755addec05c0b24cca50dfe3a92b
SHA17d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42
-
MD5
22515d004bd22ea234d89e302e533c0d
SHA13ec604ae165b59a8ed0dec0525cfa1b27468f82d
SHA25656123d686dd57a13ef31841d482fbf5fec60203fae69b270ee550bed5c01f1c2
SHA512f47a339799c0de2bb8cc8ea9609af16f2ee12da7a4b8c4d4f785832b3ab64e8af4dcbe8ababeda9aeb026ce920b30cdf0094cbe385f7c307d39013eb8a22ed25
-
MD5
22515d004bd22ea234d89e302e533c0d
SHA13ec604ae165b59a8ed0dec0525cfa1b27468f82d
SHA25656123d686dd57a13ef31841d482fbf5fec60203fae69b270ee550bed5c01f1c2
SHA512f47a339799c0de2bb8cc8ea9609af16f2ee12da7a4b8c4d4f785832b3ab64e8af4dcbe8ababeda9aeb026ce920b30cdf0094cbe385f7c307d39013eb8a22ed25
-
MD5
9f8ab7eb0ab21443a2fe06dab341510e
SHA12b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA51253f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b
-
MD5
689351868abc02c9188666583f0aa37f
SHA1eb7f4431c953306f42877f2a010052d922569f89
SHA25663143fd8395d0201f70fa527521c66c0111c5d00c49a45bf76dc0c0ffea466ca
SHA512c6134c5c3b3bb4a711eac0ec0029b6adb98377b8f51911e592e22ca489cfff5951c1152738c0289f99dc7ee868124624c8df5553f0c6dd07c36fe77bb6227e62
-
MD5
531ca8f59c2f45a1abacc42e883d68c3
SHA115a8993d239f2bad3a0198990c234e4bd464b60d
SHA256c144c655ebfed925d330a347207e7af7e3f81a1ba189f3492a96e600f6c42e00
SHA5121948600ebf585d7501eb98b617f918318304ff5220812321b38c1aa549575bcd377702e2e300ed463d28dce9c8ea8d5bdd741e5eccfa5cb8d90e15e871eb3fa1
-
MD5
f964811b68f9f1487c2b41e1aef576ce
SHA1b423959793f14b1416bc3b7051bed58a1034025f
SHA25683bc57dcf282264f2b00c21ce0339eac20fcb7401f7c5472c0cd0c014844e5f7
SHA512565b1a7291c6fcb63205907fcd9e72fc2e11ca945afc4468c378edba882e2f314c2ac21a7263880ff7d4b84c2a1678024c1ac9971ac1c1de2bfa4248ec0f98c4
-
MD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
MD5
60acd24430204ad2dc7f148b8cfe9bdc
SHA1989f377b9117d7cb21cbe92a4117f88f9c7693d9
SHA2569876c53134dbbec4dcca67581f53638eba3fea3a15491aa3cf2526b71032da97
SHA512626c36e9567f57fa8ec9c36d96cbadede9c6f6734a7305ecfb9f798952bbacdfa33a1b6c4999ba5b78897dc2ec6f91870f7ec25b2ceacbaee4be942fe881db01
-
MD5
eae9273f8cdcf9321c6c37c244773139
SHA18378e2a2f3635574c106eea8419b5eb00b8489b0
SHA256a0c6630d4012ae0311ff40f4f06911bcf1a23f7a4762ce219b8dffa012d188cc
SHA51206e43e484a89cea9ba9b9519828d38e7c64b040f44cdaeb321cbda574e7551b11fea139ce3538f387a0a39a3d8c4cba7f4cf03e4a3c98db85f8121c2212a9097
-
MD5
02cc7b8ee30056d5912de54f1bdfc219
SHA1a6923da95705fb81e368ae48f93d28522ef552fb
SHA2561989526553fd1e1e49b0fea8036822ca062d3d39c4cab4a37846173d0f1753d5
SHA5120d5dfcf4fb19b27246fa799e339d67cd1b494427783f379267fb2d10d615ffb734711bab2c515062c078f990a44a36f2d15859b1dacd4143dcc35b5c0cee0ef5
-
MD5
4e8df049f3459fa94ab6ad387f3561ac
SHA106ed392bc29ad9d5fc05ee254c2625fd65925114
SHA25625a4dae37120426ab060ebb39b7030b3e7c1093cc34b0877f223b6843b651871
SHA5123dd4a86f83465989b2b30c240a7307edd1b92d5c1d5c57d47eff287dc9daa7bace157017908d82e00be90f08ff5badb68019ffc9d881440229dcea5038f61cd6