redline | 9a388aea47d2682630cd9208ba1f0ae9a9e9c1a57aa0448fb6c2995afe1da9be

Analysis

max time kernel
133s
max time network
120s
platform
windows7_x64
resource
win7-en-20211208
submitted
22-12-2021 21:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52fc012dd5afbbe2a0de6eb91bc888cc.exe
Size

698KB
MD5

52fc012dd5afbbe2a0de6eb91bc888cc
SHA1

aae34b8665dd350a3aeb2fe2d8651825387f7062
SHA256

9a388aea47d2682630cd9208ba1f0ae9a9e9c1a57aa0448fb6c2995afe1da9be
SHA512

5d81171a9725b74d3e7e1de5e6d22b0da17ea8fef75f3c9b4f8cc06c2ed31fc30ab075d5a24206b989d5ca36ecaa77b77b8ca14f0c0d743f85b7da73439f03fa

Score

10^/10

redline discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

185.215.113.57:50723

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1712-60-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/1712-61-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/1712-63-0x000000000041BBCE-mapping.dmp	family_redline
behavioral1/memory/1712-64-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/1712-67-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/1712-70-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/1712-72-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline
behavioral1/memory/1712-73-0x0000000000090000-0x00000000000B0000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

fl.exeservices32.exesihost32.exe

pid process

280 fl.exe
1348 services32.exe
1464 sihost32.exe
Loads dropped DLL 3 IoCs

Processes:

RegAsm.execmd.execonhost.exe

pid process

1712 RegAsm.exe
1756 cmd.exe
1732 conhost.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
280	fl.exe
1348	services32.exe
1464	sihost32.exe

Drops file in System32 directory 7 IoCs

Processes:

powershell.execonhost.exepowershell.exepowershell.exepowershell.execonhost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\Microsoft\Telemetry\sihost32.exe	conhost.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\system32\services32.exe	conhost.exe
File opened for modification	C:\Windows\system32\services32.exe	conhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

52fc012dd5afbbe2a0de6eb91bc888cc.exe

description pid process target process

PID 1608 set thread context of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	pid	process	target process
PID 1608 set thread context of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1100 schtasks.exe

pid	process
1100	schtasks.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

RegAsm.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

pid	process
1712	RegAsm.exe
1712	RegAsm.exe
1712	RegAsm.exe
1968	conhost.exe
1676	powershell.exe
1624	powershell.exe
1732	conhost.exe
1732	conhost.exe
1996	powershell.exe
1116	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

RegAsm.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1712	RegAsm.exe
Token: SeDebugPrivilege	1968	conhost.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1732	conhost.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1116	powershell.exe

Suspicious use of WriteProcessMemory 57 IoCs

Processes:

52fc012dd5afbbe2a0de6eb91bc888cc.exeRegAsm.exefl.execonhost.execmd.execmd.execmd.exeservices32.execonhost.execmd.exe

description	pid	process	target process
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1608 wrote to memory of 1712	1608	52fc012dd5afbbe2a0de6eb91bc888cc.exe	RegAsm.exe
PID 1712 wrote to memory of 280	1712	RegAsm.exe	fl.exe
PID 1712 wrote to memory of 280	1712	RegAsm.exe	fl.exe
PID 1712 wrote to memory of 280	1712	RegAsm.exe	fl.exe
PID 1712 wrote to memory of 280	1712	RegAsm.exe	fl.exe
PID 280 wrote to memory of 1968	280	fl.exe	conhost.exe
PID 280 wrote to memory of 1968	280	fl.exe	conhost.exe
PID 280 wrote to memory of 1968	280	fl.exe	conhost.exe
PID 280 wrote to memory of 1968	280	fl.exe	conhost.exe
PID 1968 wrote to memory of 1752	1968	conhost.exe	cmd.exe
PID 1968 wrote to memory of 1752	1968	conhost.exe	cmd.exe
PID 1968 wrote to memory of 1752	1968	conhost.exe	cmd.exe
PID 1752 wrote to memory of 1676	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 1676	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 1676	1752	cmd.exe	powershell.exe
PID 1968 wrote to memory of 1564	1968	conhost.exe	cmd.exe
PID 1968 wrote to memory of 1564	1968	conhost.exe	cmd.exe
PID 1968 wrote to memory of 1564	1968	conhost.exe	cmd.exe
PID 1564 wrote to memory of 1100	1564	cmd.exe	schtasks.exe
PID 1564 wrote to memory of 1100	1564	cmd.exe	schtasks.exe
PID 1564 wrote to memory of 1100	1564	cmd.exe	schtasks.exe
PID 1752 wrote to memory of 1624	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 1624	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 1624	1752	cmd.exe	powershell.exe
PID 1968 wrote to memory of 1756	1968	conhost.exe	cmd.exe
PID 1968 wrote to memory of 1756	1968	conhost.exe	cmd.exe
PID 1968 wrote to memory of 1756	1968	conhost.exe	cmd.exe
PID 1756 wrote to memory of 1348	1756	cmd.exe	services32.exe
PID 1756 wrote to memory of 1348	1756	cmd.exe	services32.exe
PID 1756 wrote to memory of 1348	1756	cmd.exe	services32.exe
PID 1348 wrote to memory of 1732	1348	services32.exe	conhost.exe
PID 1348 wrote to memory of 1732	1348	services32.exe	conhost.exe
PID 1348 wrote to memory of 1732	1348	services32.exe	conhost.exe
PID 1348 wrote to memory of 1732	1348	services32.exe	conhost.exe
PID 1732 wrote to memory of 1712	1732	conhost.exe	cmd.exe
PID 1732 wrote to memory of 1712	1732	conhost.exe	cmd.exe
PID 1732 wrote to memory of 1712	1732	conhost.exe	cmd.exe
PID 1712 wrote to memory of 1996	1712	cmd.exe	powershell.exe
PID 1712 wrote to memory of 1996	1712	cmd.exe	powershell.exe
PID 1712 wrote to memory of 1996	1712	cmd.exe	powershell.exe
PID 1732 wrote to memory of 1464	1732	conhost.exe	sihost32.exe
PID 1732 wrote to memory of 1464	1732	conhost.exe	sihost32.exe
PID 1732 wrote to memory of 1464	1732	conhost.exe	sihost32.exe
PID 1712 wrote to memory of 1116	1712	cmd.exe	powershell.exe
PID 1712 wrote to memory of 1116	1712	cmd.exe	powershell.exe
PID 1712 wrote to memory of 1116	1712	cmd.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\52fc012dd5afbbe2a0de6eb91bc888cc.exe
"C:\Users\Admin\AppData\Local\Temp\52fc012dd5afbbe2a0de6eb91bc888cc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
2⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\fl.exe
"C:\Users\Admin\AppData\Local\Temp\fl.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fl.exe"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\System32\cmd.exe
"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"
6⤵
- Creates scheduled task(s)
PID:1100

C:\Windows\System32\cmd.exe
"cmd" cmd /c "C:\Windows\system32\services32.exe"
5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\system32\services32.exe
C:\Windows\system32\services32.exe
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"
7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\System32\cmd.exe
"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit
8⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"
9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116

C:\Windows\system32\Microsoft\Telemetry\sihost32.exe
"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"
8⤵
- Executes dropped EXE
PID:1464

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe" "/sihost32"
9⤵
PID:1588

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
a8b987b72d561e365d7b62cffdd44908

SHA1
59125b006372bca87573a88d7826cfd967b50202

SHA256
8ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728

SHA512
44aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\fl.exe
MD5
a8b987b72d561e365d7b62cffdd44908

SHA1
59125b006372bca87573a88d7826cfd967b50202

SHA256
8ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728

SHA512
44aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
89188da1021b5c2633467d28a05df711

SHA1
3d2ea83f3bfb0b65c5f7b464d605f1ab75c584e1

SHA256
2fb86599e8cc3b63331411b404d3c4586f79cac5bbf6d3fff6b7450625d4f371

SHA512
43d1dded1844983a7300b70840b06b24465a796afb312936b1769a89b3dfa6c043fc532b6ccc50f3d4a3617dc75aaaa220c1efb9382586a803a972b1cda16445

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ff6a89ca55e7b9a1c48510e218e3bd73

SHA1
d2e5c316200c641e48c6188de401a4a0a0ca5b01

SHA256
61fffbeb536f24d5b479f6f5fb716845617cc74166484d6e1bfd98b2329d854c

SHA512
584e0a4b853aa7c3afa6d7ea2e1051d7aaaea2120d6118da4008b28ad52380695d1f804ff56a287729ff9ceb71581756dbdb6de66e0aced05c27c0d8213fe1a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
MD5
ff6a89ca55e7b9a1c48510e218e3bd73

SHA1
d2e5c316200c641e48c6188de401a4a0a0ca5b01

SHA256
61fffbeb536f24d5b479f6f5fb716845617cc74166484d6e1bfd98b2329d854c

SHA512
584e0a4b853aa7c3afa6d7ea2e1051d7aaaea2120d6118da4008b28ad52380695d1f804ff56a287729ff9ceb71581756dbdb6de66e0aced05c27c0d8213fe1a4

Download Submit
C:\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
86fcce6aeceb68ca90fb404b5c6f18fa

SHA1
4e4cd6a813e2cdfe27f2df24b6c897a5ef37bd1c

SHA256
9ae77a6a33a1c9070859ff38a3346cbecfa552c8ec609d96bb05eb222bb887f9

SHA512
cfeba1eafe815483940567881100d45590ce19f4da8ad8fc7c7393daf193afb27f4c810266369413fa5a7a46cd77065f0b8fe8c9ed7fab83ef5f2d5fbdea18c5

Download Submit
C:\Windows\System32\services32.exe
MD5
a8b987b72d561e365d7b62cffdd44908

SHA1
59125b006372bca87573a88d7826cfd967b50202

SHA256
8ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728

SHA512
44aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7

Download Submit
C:\Windows\system32\services32.exe
MD5
a8b987b72d561e365d7b62cffdd44908

SHA1
59125b006372bca87573a88d7826cfd967b50202

SHA256
8ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728

SHA512
44aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7

Download Submit
\Users\Admin\AppData\Local\Temp\fl.exe
MD5
a8b987b72d561e365d7b62cffdd44908

SHA1
59125b006372bca87573a88d7826cfd967b50202

SHA256
8ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728

SHA512
44aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7

Download Submit
\Windows\System32\Microsoft\Telemetry\sihost32.exe
MD5
86fcce6aeceb68ca90fb404b5c6f18fa

SHA1
4e4cd6a813e2cdfe27f2df24b6c897a5ef37bd1c

SHA256
9ae77a6a33a1c9070859ff38a3346cbecfa552c8ec609d96bb05eb222bb887f9

SHA512
cfeba1eafe815483940567881100d45590ce19f4da8ad8fc7c7393daf193afb27f4c810266369413fa5a7a46cd77065f0b8fe8c9ed7fab83ef5f2d5fbdea18c5

Download Submit
\Windows\System32\services32.exe
MD5
a8b987b72d561e365d7b62cffdd44908

SHA1
59125b006372bca87573a88d7826cfd967b50202

SHA256
8ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728

SHA512
44aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7

Download Submit
memory/280-76-0x0000000000000000-mapping.dmp

Download
memory/1100-84-0x0000000000000000-mapping.dmp

Download
memory/1116-135-0x000000001B6F0000-0x000000001B9EF000-memory.dmp

Filesize
3.0MB

Download
memory/1116-134-0x0000000002434000-0x0000000002437000-memory.dmp

Filesize
12KB

Download
memory/1116-133-0x0000000002432000-0x0000000002434000-memory.dmp

Filesize
8KB

Download
memory/1116-136-0x000000000243B000-0x000000000245A000-memory.dmp

Filesize
124KB

Download
memory/1116-132-0x0000000002430000-0x0000000002432000-memory.dmp

Filesize
8KB

Download
memory/1116-130-0x000007FEF2670000-0x000007FEF31CD000-memory.dmp

Filesize
11.4MB

Download
memory/1116-127-0x0000000000000000-mapping.dmp

Download
memory/1348-108-0x0000000000000000-mapping.dmp

Download
memory/1464-125-0x0000000000000000-mapping.dmp

Download
memory/1564-83-0x0000000000000000-mapping.dmp

Download
memory/1588-138-0x0000000001A60000-0x0000000001A66000-memory.dmp

Filesize
24KB

Download
memory/1588-143-0x0000000001D77000-0x0000000001D78000-memory.dmp

Filesize
4KB

Download
memory/1588-141-0x0000000001D74000-0x0000000001D76000-memory.dmp

Filesize
8KB

Download
memory/1588-142-0x0000000001D76000-0x0000000001D77000-memory.dmp

Filesize
4KB

Download
memory/1588-140-0x0000000001D72000-0x0000000001D74000-memory.dmp

Filesize
8KB

Download
memory/1588-137-0x0000000001A60000-0x0000000001A66000-memory.dmp

Filesize
24KB

Download
memory/1608-57-0x000000001A8E0000-0x000000001A8E2000-memory.dmp

Filesize
8KB

Download
memory/1608-55-0x0000000000220000-0x00000000002D2000-memory.dmp

Filesize
712KB

Download
memory/1608-56-0x0000000000220000-0x00000000002D2000-memory.dmp

Filesize
712KB

Download
memory/1624-104-0x000000000279B000-0x00000000027BA000-memory.dmp

Filesize
124KB

Download
memory/1624-103-0x000000001B700000-0x000000001B9FF000-memory.dmp

Filesize
3.0MB

Download
memory/1624-100-0x0000000002790000-0x0000000002792000-memory.dmp

Filesize
8KB

Download
memory/1624-95-0x0000000000000000-mapping.dmp

Download
memory/1624-101-0x0000000002792000-0x0000000002794000-memory.dmp

Filesize
8KB

Download
memory/1624-98-0x000007FEED080000-0x000007FEEDBDD000-memory.dmp

Filesize
11.4MB

Download
memory/1624-102-0x0000000002794000-0x0000000002797000-memory.dmp

Filesize
12KB

Download
memory/1676-93-0x0000000002724000-0x0000000002727000-memory.dmp

Filesize
12KB

Download
memory/1676-94-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1676-99-0x000000000272B000-0x000000000274A000-memory.dmp

Filesize
124KB

Download
memory/1676-85-0x000007FEECFF0000-0x000007FEEDB4D000-memory.dmp

Filesize
11.4MB

Download
memory/1676-81-0x0000000000000000-mapping.dmp

Download
memory/1676-82-0x000007FEFB731000-0x000007FEFB733000-memory.dmp

Filesize
8KB

Download
memory/1676-91-0x0000000002720000-0x0000000002722000-memory.dmp

Filesize
8KB

Download
memory/1676-92-0x0000000002722000-0x0000000002724000-memory.dmp

Filesize
8KB

Download
memory/1712-67-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1712-60-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1712-74-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/1712-73-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1712-112-0x0000000000000000-mapping.dmp

Download
memory/1712-71-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1712-64-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1712-63-0x000000000041BBCE-mapping.dmp

Download
memory/1712-72-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1712-58-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1712-59-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1712-70-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1712-61-0x0000000000090000-0x00000000000B0000-memory.dmp

Filesize
128KB

Download
memory/1732-120-0x000000001B247000-0x000000001B248000-memory.dmp

Filesize
4KB

Download
memory/1732-119-0x000000001B246000-0x000000001B247000-memory.dmp

Filesize
4KB

Download
memory/1732-118-0x000000001B244000-0x000000001B246000-memory.dmp

Filesize
8KB

Download
memory/1732-117-0x000000001B242000-0x000000001B244000-memory.dmp

Filesize
8KB

Download
memory/1732-111-0x000000001B4B0000-0x000000001B6A2000-memory.dmp

Filesize
1.9MB

Download
memory/1732-110-0x000000001B4B0000-0x000000001B6A2000-memory.dmp

Filesize
1.9MB

Download
memory/1752-80-0x0000000000000000-mapping.dmp

Download
memory/1756-106-0x0000000000000000-mapping.dmp

Download
memory/1968-88-0x0000000001CD4000-0x0000000001CD6000-memory.dmp

Filesize
8KB

Download
memory/1968-90-0x0000000001CD7000-0x0000000001CD8000-memory.dmp

Filesize
4KB

Download
memory/1968-89-0x0000000001CD6000-0x0000000001CD7000-memory.dmp

Filesize
4KB

Download
memory/1968-87-0x0000000001CD2000-0x0000000001CD4000-memory.dmp

Filesize
8KB

Download
memory/1968-86-0x0000000000260000-0x0000000000452000-memory.dmp

Filesize
1.9MB

Download
memory/1968-79-0x000000001B210000-0x000000001B402000-memory.dmp

Filesize
1.9MB

Download
memory/1968-78-0x000000001B210000-0x000000001B402000-memory.dmp

Filesize
1.9MB

Download
memory/1996-122-0x00000000027F2000-0x00000000027F4000-memory.dmp

Filesize
8KB

Download
memory/1996-121-0x00000000027F0000-0x00000000027F2000-memory.dmp

Filesize
8KB

Download
memory/1996-116-0x000007FEECFF0000-0x000007FEEDB4D000-memory.dmp

Filesize
11.4MB

Download
memory/1996-113-0x0000000000000000-mapping.dmp

Download
memory/1996-131-0x00000000027FB000-0x000000000281A000-memory.dmp

Filesize
124KB

Download
memory/1996-123-0x00000000027F4000-0x00000000027F7000-memory.dmp

Filesize
12KB

Download