redline | 071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9

Resubmissions

28-09-2021 20:51

210928-zm5pdsdae8 10

28-09-2021 20:22

210928-y5kaqsdaa9 10

Analysis

max time kernel
52s
max time network
1803s
platform
windows7_x64
resource
win7v20210408
submitted
28-09-2021 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Size

3.9MB
MD5

1be0d2741eaac6804e24a7586b1086b0
SHA1

cdb330156b2063c6f259cb10a787463756798f7a
SHA256

071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9
SHA512

cc9352b0ace0a51cac07069adf33d98e548e6726e71bf4582dcb15c3d7b0a7806765ffc57f95511f1aeca798d7fbf44c08bc5ebe7bc13626b8b7bcd0df872f85

Score

10^/10

redline smokeloader pab4 aspackv2 backdoor evasion infostealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

pab4

185.215.113.15:61506

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral2/memory/1632-178-0x00000000033A0000-0x00000000033BC000-memory.dmp	family_redline
behavioral2/memory/1632-185-0x0000000004930000-0x000000000494A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00040000000130d5-68.dat	aspack_v212_v242
behavioral2/files/0x00040000000130d5-69.dat	aspack_v212_v242
behavioral2/files/0x00040000000130d3-70.dat	aspack_v212_v242
behavioral2/files/0x00040000000130d3-71.dat	aspack_v212_v242
behavioral2/files/0x00030000000130db-75.dat	aspack_v212_v242
behavioral2/files/0x00030000000130db-74.dat	aspack_v212_v242

Executes dropped EXE 9 IoCs

pid	Process
1760	setup_install.exe
1712	Thu0299d0d70a4d322.exe
1656	Thu02c015332704.exe
1572	Thu02f60acc90a3.exe
620	Thu0247e977c7950492a.exe
1624	Thu02d385ff55.exe
1564	Thu02483b39590da5492.exe
1632	Thu02588bdad8e7.exe
1136	Thu0247e977c7950492a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation	Thu02d385ff55.exe

Loads dropped DLL 32 IoCs

pid	Process
1840	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
1840	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
1840	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
1760	setup_install.exe
1760	setup_install.exe
1760	setup_install.exe
1760	setup_install.exe
1760	setup_install.exe
1760	setup_install.exe
1760	setup_install.exe
1760	setup_install.exe
1940	cmd.exe
1940	cmd.exe
1560	cmd.exe
1712	Thu0299d0d70a4d322.exe
1712	Thu0299d0d70a4d322.exe
1064	cmd.exe
828	cmd.exe
828	cmd.exe
564	cmd.exe
900	cmd.exe
900	cmd.exe
1936	Process not Found
620	Thu0247e977c7950492a.exe
620	Thu0247e977c7950492a.exe
1624	Thu02d385ff55.exe
1624	Thu02d385ff55.exe
1632	Thu02588bdad8e7.exe
1632	Thu02588bdad8e7.exe
620	Thu0247e977c7950492a.exe
1136	Thu0247e977c7950492a.exe
1136	Thu0247e977c7950492a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com
40	ipinfo.io
41	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe

Modifies system certificate store 2 TTPs 7 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu02f60acc90a3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu02f60acc90a3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu02f60acc90a3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Thu02c015332704.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Thu02c015332704.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Thu02c015332704.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu02f60acc90a3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1712	Thu0299d0d70a4d322.exe
1712	Thu0299d0d70a4d322.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1800	powershell.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1712	Thu0299d0d70a4d322.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	Thu02c015332704.exe
Token: SeDebugPrivilege	1572	Thu02f60acc90a3.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1632	Thu02588bdad8e7.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1200	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1760	1840	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	25
PID 1840 wrote to memory of 1760	1840	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	25
PID 1840 wrote to memory of 1760	1840	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	25
PID 1840 wrote to memory of 1760	1840	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	25
PID 1840 wrote to memory of 1760	1840	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	25
PID 1840 wrote to memory of 1760	1840	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	25
PID 1840 wrote to memory of 1760	1840	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	25
PID 1760 wrote to memory of 1224	1760	setup_install.exe	36
PID 1760 wrote to memory of 1224	1760	setup_install.exe	36
PID 1760 wrote to memory of 1224	1760	setup_install.exe	36
PID 1760 wrote to memory of 1224	1760	setup_install.exe	36
PID 1760 wrote to memory of 1224	1760	setup_install.exe	36
PID 1760 wrote to memory of 1224	1760	setup_install.exe	36
PID 1760 wrote to memory of 1224	1760	setup_install.exe	36
PID 1760 wrote to memory of 828	1760	setup_install.exe	35
PID 1760 wrote to memory of 828	1760	setup_install.exe	35
PID 1760 wrote to memory of 828	1760	setup_install.exe	35
PID 1760 wrote to memory of 828	1760	setup_install.exe	35
PID 1760 wrote to memory of 828	1760	setup_install.exe	35
PID 1760 wrote to memory of 828	1760	setup_install.exe	35
PID 1760 wrote to memory of 828	1760	setup_install.exe	35
PID 1760 wrote to memory of 1940	1760	setup_install.exe	34
PID 1760 wrote to memory of 1940	1760	setup_install.exe	34
PID 1760 wrote to memory of 1940	1760	setup_install.exe	34
PID 1760 wrote to memory of 1940	1760	setup_install.exe	34
PID 1760 wrote to memory of 1940	1760	setup_install.exe	34
PID 1760 wrote to memory of 1940	1760	setup_install.exe	34
PID 1760 wrote to memory of 1940	1760	setup_install.exe	34
PID 1760 wrote to memory of 1936	1760	setup_install.exe	33
PID 1760 wrote to memory of 1936	1760	setup_install.exe	33
PID 1760 wrote to memory of 1936	1760	setup_install.exe	33
PID 1760 wrote to memory of 1936	1760	setup_install.exe	33
PID 1760 wrote to memory of 1936	1760	setup_install.exe	33
PID 1760 wrote to memory of 1936	1760	setup_install.exe	33
PID 1760 wrote to memory of 1936	1760	setup_install.exe	33
PID 1760 wrote to memory of 340	1760	setup_install.exe	27
PID 1760 wrote to memory of 340	1760	setup_install.exe	27
PID 1760 wrote to memory of 340	1760	setup_install.exe	27
PID 1760 wrote to memory of 340	1760	setup_install.exe	27
PID 1760 wrote to memory of 340	1760	setup_install.exe	27
PID 1760 wrote to memory of 340	1760	setup_install.exe	27
PID 1760 wrote to memory of 340	1760	setup_install.exe	27
PID 1760 wrote to memory of 900	1760	setup_install.exe	28
PID 1760 wrote to memory of 900	1760	setup_install.exe	28
PID 1760 wrote to memory of 900	1760	setup_install.exe	28
PID 1760 wrote to memory of 900	1760	setup_install.exe	28
PID 1760 wrote to memory of 900	1760	setup_install.exe	28
PID 1760 wrote to memory of 900	1760	setup_install.exe	28
PID 1760 wrote to memory of 900	1760	setup_install.exe	28
PID 1760 wrote to memory of 564	1760	setup_install.exe	29
PID 1760 wrote to memory of 564	1760	setup_install.exe	29
PID 1760 wrote to memory of 564	1760	setup_install.exe	29
PID 1760 wrote to memory of 564	1760	setup_install.exe	29
PID 1760 wrote to memory of 564	1760	setup_install.exe	29
PID 1760 wrote to memory of 564	1760	setup_install.exe	29
PID 1760 wrote to memory of 564	1760	setup_install.exe	29
PID 1760 wrote to memory of 1064	1760	setup_install.exe	32
PID 1760 wrote to memory of 1064	1760	setup_install.exe	32
PID 1760 wrote to memory of 1064	1760	setup_install.exe	32
PID 1760 wrote to memory of 1064	1760	setup_install.exe	32
PID 1760 wrote to memory of 1064	1760	setup_install.exe	32
PID 1760 wrote to memory of 1064	1760	setup_install.exe	32
PID 1760 wrote to memory of 1064	1760	setup_install.exe	32
PID 1760 wrote to memory of 1752	1760	setup_install.exe	31

C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
"C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\7zS0374B781\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0374B781\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02966ca5c58f270.exe
    3⤵
    PID:340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02588bdad8e7.exe
    3⤵
    - Loads dropped DLL
    PID:900
  - - C:\Users\Admin\AppData\Local\Temp\7zS0374B781\Thu02588bdad8e7.exe
      Thu02588bdad8e7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:1632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02d385ff55.exe
    3⤵
    - Loads dropped DLL
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\7zS0374B781\Thu02d385ff55.exe
      Thu02d385ff55.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      PID:1624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02c015332704.exe
    3⤵
    - Loads dropped DLL
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\7zS0374B781\Thu02c015332704.exe
      Thu02c015332704.exe
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02bfe1521bcc038.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02f60acc90a3.exe
    3⤵
    - Loads dropped DLL
    PID:1064
  - - C:\Users\Admin\AppData\Local\Temp\7zS0374B781\Thu02f60acc90a3.exe
      Thu02f60acc90a3.exe
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02483b39590da5492.exe
    3⤵
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\7zS0374B781\Thu02483b39590da5492.exe
      Thu02483b39590da5492.exe
      4⤵
      Executes dropped EXE
      PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu0299d0d70a4d322.exe
    3⤵
    - Loads dropped DLL
    PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\7zS0374B781\Thu0299d0d70a4d322.exe
      Thu0299d0d70a4d322.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu0247e977c7950492a.exe
    3⤵
    - Loads dropped DLL
    PID:828
  - - C:\Users\Admin\AppData\Local\Temp\7zS0374B781\Thu0247e977c7950492a.exe
      Thu0247e977c7950492a.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:620
    - - C:\Users\Admin\AppData\Local\Temp\7zS0374B781\Thu0247e977c7950492a.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0374B781\Thu0247e977c7950492a.exe" -a
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1224
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1800

C:\Windows\system32\taskeng.exe
taskeng.exe {23EB783A-43B2-49A8-95FD-52197597FF5B} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:816
- C:\Users\Admin\AppData\Roaming\djrdwtv
  C:\Users\Admin\AppData\Roaming\djrdwtv
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Roaming\djrdwtv
  C:\Users\Admin\AppData\Roaming\djrdwtv
  2⤵
  PID:580

C:\Windows\system32\taskeng.exe
taskeng.exe {04483E6C-7FCB-40A4-B3BD-B3AA5B87DFA2} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:1944
- C:\Users\Admin\AppData\Roaming\djrdwtv
  C:\Users\Admin\AppData\Roaming\djrdwtv
  2⤵
  PID:1776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-239-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/1200-241-0x0000000002A30000-0x0000000002A46000-memory.dmp

Filesize
88KB

Download
memory/1200-192-0x00000000036C0000-0x00000000036D0000-memory.dmp

Filesize
64KB

Download
memory/1200-179-0x00000000021E0000-0x00000000021F6000-memory.dmp

Filesize
88KB

Download
memory/1200-236-0x0000000002A00000-0x0000000002A16000-memory.dmp

Filesize
88KB

Download
memory/1564-184-0x000007FEFBF71000-0x000007FEFBF73000-memory.dmp

Filesize
8KB

Download
memory/1564-187-0x0000000002C80000-0x0000000002D57000-memory.dmp

Filesize
860KB

Download
memory/1564-188-0x00000000038B0000-0x0000000003A4B000-memory.dmp

Filesize
1.6MB

Download
memory/1572-172-0x000000001AFE0000-0x000000001AFE2000-memory.dmp

Filesize
8KB

Download
memory/1572-167-0x00000000001C0000-0x00000000001D5000-memory.dmp

Filesize
84KB

Download
memory/1572-158-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1624-197-0x0000000004100000-0x0000000004241000-memory.dmp

Filesize
1.3MB

Download
memory/1632-165-0x0000000002CD0000-0x0000000002CFF000-memory.dmp

Filesize
188KB

Download
memory/1632-189-0x00000000070C4000-0x00000000070C6000-memory.dmp

Filesize
8KB

Download
memory/1632-182-0x00000000070C3000-0x00000000070C4000-memory.dmp

Filesize
4KB

Download
memory/1632-180-0x00000000070C2000-0x00000000070C3000-memory.dmp

Filesize
4KB

Download
memory/1632-185-0x0000000004930000-0x000000000494A000-memory.dmp

Filesize
104KB

Download
memory/1632-171-0x0000000000400000-0x0000000002CD0000-memory.dmp

Filesize
40.8MB

Download
memory/1632-178-0x00000000033A0000-0x00000000033BC000-memory.dmp

Filesize
112KB

Download
memory/1632-176-0x00000000070C1000-0x00000000070C2000-memory.dmp

Filesize
4KB

Download
memory/1656-164-0x000000001B250000-0x000000001B252000-memory.dmp

Filesize
8KB

Download
memory/1656-144-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/1712-174-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/1712-173-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1760-84-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1760-100-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1760-99-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1760-86-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1760-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1760-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1760-87-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1760-91-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1760-96-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1760-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1776-243-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/1800-181-0x0000000004AB2000-0x0000000004AB3000-memory.dmp

Filesize
4KB

Download
memory/1800-202-0x000000007EF30000-0x000000007EF31000-memory.dmp

Filesize
4KB

Download
memory/1800-206-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/1800-207-0x0000000006310000-0x0000000006311000-memory.dmp

Filesize
4KB

Download
memory/1800-214-0x00000000063A0000-0x00000000063A1000-memory.dmp

Filesize
4KB

Download
memory/1800-215-0x0000000006430000-0x0000000006431000-memory.dmp

Filesize
4KB

Download
memory/1800-200-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/1800-191-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1800-190-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1800-183-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/1800-177-0x00000000023E0000-0x00000000023E1000-memory.dmp

Filesize
4KB

Download
memory/1800-175-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/1840-60-0x00000000757C1000-0x00000000757C3000-memory.dmp

Filesize
8KB

Download
memory/1972-234-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download