redline | e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152

General

Target

0aef3aef127a4f780fc0166e4ed8ebac.exe
Size

549KB
MD5

0aef3aef127a4f780fc0166e4ed8ebac
SHA1

de5e59cd81f17027d811400bc7d48765e1d55df2
SHA256

e7aa0daa42cf46f9268775f5deff2b2f9574ef893202491521e89a7540688152
SHA512

1cd35a889aebf12b42b43eb83aa8c224e1896045c37b0f08f89b5910ff55e15bcba9e215f97ead7432dc47796263508906287e184ab9f6c602097f7eb93ce5fa

Score

10^/10

redline 10 discovery evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

10

C2

18.191.251.199:45097

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1064-62-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1064-61-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1064-63-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral1/memory/1064-64-0x0000000000419322-mapping.dmp	family_redline
behavioral1/memory/1064-65-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

condition.exe

pid process

1692 condition.exe
Loads dropped DLL 6 IoCs

Processes:

0aef3aef127a4f780fc0166e4ed8ebac.exeWerFault.exe

pid process

1064 0aef3aef127a4f780fc0166e4ed8ebac.exe
1564 WerFault.exe
1564 WerFault.exe
1564 WerFault.exe
1564 WerFault.exe
1564 WerFault.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

0aef3aef127a4f780fc0166e4ed8ebac.exe

description pid process target process

PID 1608 set thread context of 1064 1608 0aef3aef127a4f780fc0166e4ed8ebac.exe 0aef3aef127a4f780fc0166e4ed8ebac.exe

pid	process
1692	condition.exe

pid	process
1064	0aef3aef127a4f780fc0166e4ed8ebac.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe

description	pid	process	target process
PID 1608 set thread context of 1064	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe

Drops file in Windows directory 4 IoCs

Processes:

0aef3aef127a4f780fc0166e4ed8ebac.exeDism.exe

description	ioc	process
File created	C:\Windows\Tasks\wmi.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
File created	C:\Windows\Tasks\SA.abf	0aef3aef127a4f780fc0166e4ed8ebac.exe
File created	C:\Windows\Tasks\condition.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1564 1692 WerFault.exe condition.exe

pid	pid_target	process	target process
1564	1692	WerFault.exe	condition.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

0aef3aef127a4f780fc0166e4ed8ebac.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	0aef3aef127a4f780fc0166e4ed8ebac.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	0aef3aef127a4f780fc0166e4ed8ebac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	0aef3aef127a4f780fc0166e4ed8ebac.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	0aef3aef127a4f780fc0166e4ed8ebac.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exeWerFault.exe

pid process

1868 powershell.exe
1564 WerFault.exe
1564 WerFault.exe
1564 WerFault.exe
1564 WerFault.exe
1564 WerFault.exe

pid	process
1868	powershell.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe
1564	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

0aef3aef127a4f780fc0166e4ed8ebac.exe0aef3aef127a4f780fc0166e4ed8ebac.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe
Token: SeDebugPrivilege	1064	0aef3aef127a4f780fc0166e4ed8ebac.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1564	WerFault.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

0aef3aef127a4f780fc0166e4ed8ebac.exe0aef3aef127a4f780fc0166e4ed8ebac.execmd.execmd.execondition.exe

description	pid	process	target process
PID 1608 wrote to memory of 1516	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1516	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1516	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1516	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1064	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1064	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1064	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1064	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1064	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1064	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1064	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1064	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1608 wrote to memory of 1064	1608	0aef3aef127a4f780fc0166e4ed8ebac.exe	0aef3aef127a4f780fc0166e4ed8ebac.exe
PID 1064 wrote to memory of 1164	1064	0aef3aef127a4f780fc0166e4ed8ebac.exe	cmd.exe
PID 1064 wrote to memory of 1164	1064	0aef3aef127a4f780fc0166e4ed8ebac.exe	cmd.exe
PID 1064 wrote to memory of 1164	1064	0aef3aef127a4f780fc0166e4ed8ebac.exe	cmd.exe
PID 1064 wrote to memory of 1164	1064	0aef3aef127a4f780fc0166e4ed8ebac.exe	cmd.exe
PID 1164 wrote to memory of 1184	1164	cmd.exe	cmd.exe
PID 1164 wrote to memory of 1184	1164	cmd.exe	cmd.exe
PID 1164 wrote to memory of 1184	1164	cmd.exe	cmd.exe
PID 1164 wrote to memory of 1184	1164	cmd.exe	cmd.exe
PID 1184 wrote to memory of 1988	1184	cmd.exe	reg.exe
PID 1184 wrote to memory of 1988	1184	cmd.exe	reg.exe
PID 1184 wrote to memory of 1988	1184	cmd.exe	reg.exe
PID 1184 wrote to memory of 1988	1184	cmd.exe	reg.exe
PID 1164 wrote to memory of 1220	1164	cmd.exe	reg.exe
PID 1164 wrote to memory of 1220	1164	cmd.exe	reg.exe
PID 1164 wrote to memory of 1220	1164	cmd.exe	reg.exe
PID 1164 wrote to memory of 1220	1164	cmd.exe	reg.exe
PID 1164 wrote to memory of 1868	1164	cmd.exe	powershell.exe
PID 1164 wrote to memory of 1868	1164	cmd.exe	powershell.exe
PID 1164 wrote to memory of 1868	1164	cmd.exe	powershell.exe
PID 1164 wrote to memory of 1868	1164	cmd.exe	powershell.exe
PID 1164 wrote to memory of 1704	1164	cmd.exe	Dism.exe
PID 1164 wrote to memory of 1704	1164	cmd.exe	Dism.exe
PID 1164 wrote to memory of 1704	1164	cmd.exe	Dism.exe
PID 1164 wrote to memory of 1704	1164	cmd.exe	Dism.exe
PID 1064 wrote to memory of 1692	1064	0aef3aef127a4f780fc0166e4ed8ebac.exe	condition.exe
PID 1064 wrote to memory of 1692	1064	0aef3aef127a4f780fc0166e4ed8ebac.exe	condition.exe
PID 1064 wrote to memory of 1692	1064	0aef3aef127a4f780fc0166e4ed8ebac.exe	condition.exe
PID 1064 wrote to memory of 1692	1064	0aef3aef127a4f780fc0166e4ed8ebac.exe	condition.exe
PID 1692 wrote to memory of 1564	1692	condition.exe	WerFault.exe
PID 1692 wrote to memory of 1564	1692	condition.exe	WerFault.exe
PID 1692 wrote to memory of 1564	1692	condition.exe	WerFault.exe
PID 1692 wrote to memory of 1564	1692	condition.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\0aef3aef127a4f780fc0166e4ed8ebac.exe
"C:\Users\Admin\AppData\Local\Temp\0aef3aef127a4f780fc0166e4ed8ebac.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608

C:\Users\Admin\AppData\Local\Temp\0aef3aef127a4f780fc0166e4ed8ebac.exe
C:\Users\Admin\AppData\Local\Temp\0aef3aef127a4f780fc0166e4ed8ebac.exe
2⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\0aef3aef127a4f780fc0166e4ed8ebac.exe
C:\Users\Admin\AppData\Local\Temp\0aef3aef127a4f780fc0166e4ed8ebac.exe
2⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\cmd.exe
"cmd" /C cmd /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f & reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f & c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRealtimeMonitoring $true" & dism /online /disable-feature /featurename:windows-defender /remove /norestart /quiet
3⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\cmd.exe
cmd /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
4⤵
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
5⤵
PID:1988

C:\Windows\SysWOW64\reg.exe
reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
4⤵
PID:1220

\??\c:\windows\SysWOW64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\windowspowershell\v1.0\powershell.exe "Set-MpPreference -DisableRealtimeMonitoring $true"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\SysWOW64\Dism.exe
dism /online /disable-feature /featurename:windows-defender /remove /norestart /quiet
4⤵
- Drops file in Windows directory
PID:1704

C:\Windows\Tasks\condition.exe
"C:\Windows\Tasks\condition.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1692 -s 564
4⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Disabling Security Tools

1

T1089

Install Root Certificate

1

T1130

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Tasks\condition.exe
MD5
77641a8ced792a27d6e11d69d068ce17

SHA1
39153e51fd474b299087f4adba901a0cc064eb11

SHA256
bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7

SHA512
83933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c

Download Submit
C:\Windows\Tasks\condition.exe
MD5
77641a8ced792a27d6e11d69d068ce17

SHA1
39153e51fd474b299087f4adba901a0cc064eb11

SHA256
bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7

SHA512
83933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c

Download Submit
\Windows\Tasks\condition.exe
MD5
77641a8ced792a27d6e11d69d068ce17

SHA1
39153e51fd474b299087f4adba901a0cc064eb11

SHA256
bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7

SHA512
83933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c

Download Submit
\Windows\Tasks\condition.exe
MD5
77641a8ced792a27d6e11d69d068ce17

SHA1
39153e51fd474b299087f4adba901a0cc064eb11

SHA256
bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7

SHA512
83933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c

Download Submit
\Windows\Tasks\condition.exe
MD5
77641a8ced792a27d6e11d69d068ce17

SHA1
39153e51fd474b299087f4adba901a0cc064eb11

SHA256
bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7

SHA512
83933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c

Download Submit
\Windows\Tasks\condition.exe
MD5
77641a8ced792a27d6e11d69d068ce17

SHA1
39153e51fd474b299087f4adba901a0cc064eb11

SHA256
bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7

SHA512
83933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c

Download Submit
\Windows\Tasks\condition.exe
MD5
77641a8ced792a27d6e11d69d068ce17

SHA1
39153e51fd474b299087f4adba901a0cc064eb11

SHA256
bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7

SHA512
83933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c

Download Submit
\Windows\Tasks\condition.exe
MD5
77641a8ced792a27d6e11d69d068ce17

SHA1
39153e51fd474b299087f4adba901a0cc064eb11

SHA256
bdf924721a28595ab2d233ffbca8cea121194642786a76bfe1cd58f3721ed3b7

SHA512
83933db29bb384fd843ae0a25728c17180722c835e9f023dc4a4d7aac2c876851aa098aeb9893561bffd06682814fb1ca0b5359af7e46b19946e2ecfb38a6b2c

Download Submit
memory/1064-64-0x0000000000419322-mapping.dmp

Download
memory/1064-59-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1064-67-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/1064-60-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1064-63-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1064-65-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1064-61-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1064-62-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1164-68-0x0000000000000000-mapping.dmp

Download
memory/1184-69-0x0000000000000000-mapping.dmp

Download
memory/1220-71-0x0000000000000000-mapping.dmp

Download
memory/1564-84-0x0000000000000000-mapping.dmp

Download
memory/1564-91-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1608-58-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1608-57-0x00000000047E0000-0x00000000047E1000-memory.dmp

Filesize
4KB

Download
memory/1608-55-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1692-79-0x0000000000000000-mapping.dmp

Download
memory/1692-82-0x0000000000820000-0x0000000000821000-memory.dmp

Filesize
4KB

Download
memory/1704-77-0x0000000000000000-mapping.dmp

Download
memory/1868-76-0x00000000024D2000-0x00000000024D4000-memory.dmp

Filesize
8KB

Download
memory/1868-75-0x00000000024D1000-0x00000000024D2000-memory.dmp

Filesize
4KB

Download
memory/1868-74-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/1868-73-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1868-72-0x0000000000000000-mapping.dmp

Download
memory/1988-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads