Analysis
-
max time kernel
133s -
max time network
120s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
22-12-2021 21:39
Static task
static1
Behavioral task
behavioral1
Sample
52fc012dd5afbbe2a0de6eb91bc888cc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
52fc012dd5afbbe2a0de6eb91bc888cc.exe
Resource
win10-en-20211208
General
-
Target
52fc012dd5afbbe2a0de6eb91bc888cc.exe
-
Size
698KB
-
MD5
52fc012dd5afbbe2a0de6eb91bc888cc
-
SHA1
aae34b8665dd350a3aeb2fe2d8651825387f7062
-
SHA256
9a388aea47d2682630cd9208ba1f0ae9a9e9c1a57aa0448fb6c2995afe1da9be
-
SHA512
5d81171a9725b74d3e7e1de5e6d22b0da17ea8fef75f3c9b4f8cc06c2ed31fc30ab075d5a24206b989d5ca36ecaa77b77b8ca14f0c0d743f85b7da73439f03fa
Malware Config
Extracted
redline
185.215.113.57:50723
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 8 IoCs
Processes:
resource yara_rule behavioral1/memory/1712-60-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline behavioral1/memory/1712-61-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline behavioral1/memory/1712-63-0x000000000041BBCE-mapping.dmp family_redline behavioral1/memory/1712-64-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline behavioral1/memory/1712-67-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline behavioral1/memory/1712-70-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline behavioral1/memory/1712-72-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline behavioral1/memory/1712-73-0x0000000000090000-0x00000000000B0000-memory.dmp family_redline -
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
fl.exeservices32.exesihost32.exepid process 280 fl.exe 1348 services32.exe 1464 sihost32.exe -
Loads dropped DLL 3 IoCs
Processes:
RegAsm.execmd.execonhost.exepid process 1712 RegAsm.exe 1756 cmd.exe 1732 conhost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 7 IoCs
Processes:
powershell.execonhost.exepowershell.exepowershell.exepowershell.execonhost.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\Microsoft\Telemetry\sihost32.exe conhost.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File created C:\Windows\system32\services32.exe conhost.exe File opened for modification C:\Windows\system32\services32.exe conhost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
52fc012dd5afbbe2a0de6eb91bc888cc.exedescription pid process target process PID 1608 set thread context of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Processes:
RegAsm.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25040000000100000010000000d474de575c39b2d39c8583c5c065498a2000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RegAsm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
RegAsm.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepid process 1712 RegAsm.exe 1712 RegAsm.exe 1712 RegAsm.exe 1968 conhost.exe 1676 powershell.exe 1624 powershell.exe 1732 conhost.exe 1732 conhost.exe 1996 powershell.exe 1116 powershell.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
Processes:
RegAsm.execonhost.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1712 RegAsm.exe Token: SeDebugPrivilege 1968 conhost.exe Token: SeDebugPrivilege 1676 powershell.exe Token: SeDebugPrivilege 1624 powershell.exe Token: SeDebugPrivilege 1732 conhost.exe Token: SeDebugPrivilege 1996 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
52fc012dd5afbbe2a0de6eb91bc888cc.exeRegAsm.exefl.execonhost.execmd.execmd.execmd.exeservices32.execonhost.execmd.exedescription pid process target process PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1608 wrote to memory of 1712 1608 52fc012dd5afbbe2a0de6eb91bc888cc.exe RegAsm.exe PID 1712 wrote to memory of 280 1712 RegAsm.exe fl.exe PID 1712 wrote to memory of 280 1712 RegAsm.exe fl.exe PID 1712 wrote to memory of 280 1712 RegAsm.exe fl.exe PID 1712 wrote to memory of 280 1712 RegAsm.exe fl.exe PID 280 wrote to memory of 1968 280 fl.exe conhost.exe PID 280 wrote to memory of 1968 280 fl.exe conhost.exe PID 280 wrote to memory of 1968 280 fl.exe conhost.exe PID 280 wrote to memory of 1968 280 fl.exe conhost.exe PID 1968 wrote to memory of 1752 1968 conhost.exe cmd.exe PID 1968 wrote to memory of 1752 1968 conhost.exe cmd.exe PID 1968 wrote to memory of 1752 1968 conhost.exe cmd.exe PID 1752 wrote to memory of 1676 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 1676 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 1676 1752 cmd.exe powershell.exe PID 1968 wrote to memory of 1564 1968 conhost.exe cmd.exe PID 1968 wrote to memory of 1564 1968 conhost.exe cmd.exe PID 1968 wrote to memory of 1564 1968 conhost.exe cmd.exe PID 1564 wrote to memory of 1100 1564 cmd.exe schtasks.exe PID 1564 wrote to memory of 1100 1564 cmd.exe schtasks.exe PID 1564 wrote to memory of 1100 1564 cmd.exe schtasks.exe PID 1752 wrote to memory of 1624 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 1624 1752 cmd.exe powershell.exe PID 1752 wrote to memory of 1624 1752 cmd.exe powershell.exe PID 1968 wrote to memory of 1756 1968 conhost.exe cmd.exe PID 1968 wrote to memory of 1756 1968 conhost.exe cmd.exe PID 1968 wrote to memory of 1756 1968 conhost.exe cmd.exe PID 1756 wrote to memory of 1348 1756 cmd.exe services32.exe PID 1756 wrote to memory of 1348 1756 cmd.exe services32.exe PID 1756 wrote to memory of 1348 1756 cmd.exe services32.exe PID 1348 wrote to memory of 1732 1348 services32.exe conhost.exe PID 1348 wrote to memory of 1732 1348 services32.exe conhost.exe PID 1348 wrote to memory of 1732 1348 services32.exe conhost.exe PID 1348 wrote to memory of 1732 1348 services32.exe conhost.exe PID 1732 wrote to memory of 1712 1732 conhost.exe cmd.exe PID 1732 wrote to memory of 1712 1732 conhost.exe cmd.exe PID 1732 wrote to memory of 1712 1732 conhost.exe cmd.exe PID 1712 wrote to memory of 1996 1712 cmd.exe powershell.exe PID 1712 wrote to memory of 1996 1712 cmd.exe powershell.exe PID 1712 wrote to memory of 1996 1712 cmd.exe powershell.exe PID 1732 wrote to memory of 1464 1732 conhost.exe sihost32.exe PID 1732 wrote to memory of 1464 1732 conhost.exe sihost32.exe PID 1732 wrote to memory of 1464 1732 conhost.exe sihost32.exe PID 1712 wrote to memory of 1116 1712 cmd.exe powershell.exe PID 1712 wrote to memory of 1116 1712 cmd.exe powershell.exe PID 1712 wrote to memory of 1116 1712 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\52fc012dd5afbbe2a0de6eb91bc888cc.exe"C:\Users\Admin\AppData\Local\Temp\52fc012dd5afbbe2a0de6eb91bc888cc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd2⤵
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fl.exe"C:\Users\Admin\AppData\Local\Temp\fl.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\fl.exe"4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "services32" /tr "C:\Windows\system32\services32.exe"6⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"cmd" cmd /c "C:\Windows\system32\services32.exe"5⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\services32.exeC:\Windows\system32\services32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Windows\system32\services32.exe"7⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"cmd" cmd /c powershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionPath @(($pwd).path, $env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"9⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"C:\Windows\system32\Microsoft\Telemetry\sihost32.exe"8⤵
- Executes dropped EXE
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "/sihost32"9⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
a8b987b72d561e365d7b62cffdd44908
SHA159125b006372bca87573a88d7826cfd967b50202
SHA2568ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728
SHA51244aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7
-
C:\Users\Admin\AppData\Local\Temp\fl.exeMD5
a8b987b72d561e365d7b62cffdd44908
SHA159125b006372bca87573a88d7826cfd967b50202
SHA2568ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728
SHA51244aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
89188da1021b5c2633467d28a05df711
SHA13d2ea83f3bfb0b65c5f7b464d605f1ab75c584e1
SHA2562fb86599e8cc3b63331411b404d3c4586f79cac5bbf6d3fff6b7450625d4f371
SHA51243d1dded1844983a7300b70840b06b24465a796afb312936b1769a89b3dfa6c043fc532b6ccc50f3d4a3617dc75aaaa220c1efb9382586a803a972b1cda16445
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ff6a89ca55e7b9a1c48510e218e3bd73
SHA1d2e5c316200c641e48c6188de401a4a0a0ca5b01
SHA25661fffbeb536f24d5b479f6f5fb716845617cc74166484d6e1bfd98b2329d854c
SHA512584e0a4b853aa7c3afa6d7ea2e1051d7aaaea2120d6118da4008b28ad52380695d1f804ff56a287729ff9ceb71581756dbdb6de66e0aced05c27c0d8213fe1a4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msMD5
ff6a89ca55e7b9a1c48510e218e3bd73
SHA1d2e5c316200c641e48c6188de401a4a0a0ca5b01
SHA25661fffbeb536f24d5b479f6f5fb716845617cc74166484d6e1bfd98b2329d854c
SHA512584e0a4b853aa7c3afa6d7ea2e1051d7aaaea2120d6118da4008b28ad52380695d1f804ff56a287729ff9ceb71581756dbdb6de66e0aced05c27c0d8213fe1a4
-
C:\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
86fcce6aeceb68ca90fb404b5c6f18fa
SHA14e4cd6a813e2cdfe27f2df24b6c897a5ef37bd1c
SHA2569ae77a6a33a1c9070859ff38a3346cbecfa552c8ec609d96bb05eb222bb887f9
SHA512cfeba1eafe815483940567881100d45590ce19f4da8ad8fc7c7393daf193afb27f4c810266369413fa5a7a46cd77065f0b8fe8c9ed7fab83ef5f2d5fbdea18c5
-
C:\Windows\System32\services32.exeMD5
a8b987b72d561e365d7b62cffdd44908
SHA159125b006372bca87573a88d7826cfd967b50202
SHA2568ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728
SHA51244aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7
-
C:\Windows\system32\services32.exeMD5
a8b987b72d561e365d7b62cffdd44908
SHA159125b006372bca87573a88d7826cfd967b50202
SHA2568ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728
SHA51244aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7
-
\Users\Admin\AppData\Local\Temp\fl.exeMD5
a8b987b72d561e365d7b62cffdd44908
SHA159125b006372bca87573a88d7826cfd967b50202
SHA2568ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728
SHA51244aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7
-
\Windows\System32\Microsoft\Telemetry\sihost32.exeMD5
86fcce6aeceb68ca90fb404b5c6f18fa
SHA14e4cd6a813e2cdfe27f2df24b6c897a5ef37bd1c
SHA2569ae77a6a33a1c9070859ff38a3346cbecfa552c8ec609d96bb05eb222bb887f9
SHA512cfeba1eafe815483940567881100d45590ce19f4da8ad8fc7c7393daf193afb27f4c810266369413fa5a7a46cd77065f0b8fe8c9ed7fab83ef5f2d5fbdea18c5
-
\Windows\System32\services32.exeMD5
a8b987b72d561e365d7b62cffdd44908
SHA159125b006372bca87573a88d7826cfd967b50202
SHA2568ba07646bf26373d87cd05f6c7df4e0eb4bef4660385ea0be7dea10eef891728
SHA51244aaf1e354d08f7a690bb3c32142c625fec846f97c371f1713d3d7b90b3c6989e1f042627a30428f9223af4afda40630de847df57e5527ca5f789495beeac5d7
-
memory/280-76-0x0000000000000000-mapping.dmp
-
memory/1100-84-0x0000000000000000-mapping.dmp
-
memory/1116-135-0x000000001B6F0000-0x000000001B9EF000-memory.dmpFilesize
3.0MB
-
memory/1116-134-0x0000000002434000-0x0000000002437000-memory.dmpFilesize
12KB
-
memory/1116-133-0x0000000002432000-0x0000000002434000-memory.dmpFilesize
8KB
-
memory/1116-136-0x000000000243B000-0x000000000245A000-memory.dmpFilesize
124KB
-
memory/1116-132-0x0000000002430000-0x0000000002432000-memory.dmpFilesize
8KB
-
memory/1116-130-0x000007FEF2670000-0x000007FEF31CD000-memory.dmpFilesize
11.4MB
-
memory/1116-127-0x0000000000000000-mapping.dmp
-
memory/1348-108-0x0000000000000000-mapping.dmp
-
memory/1464-125-0x0000000000000000-mapping.dmp
-
memory/1564-83-0x0000000000000000-mapping.dmp
-
memory/1588-138-0x0000000001A60000-0x0000000001A66000-memory.dmpFilesize
24KB
-
memory/1588-143-0x0000000001D77000-0x0000000001D78000-memory.dmpFilesize
4KB
-
memory/1588-141-0x0000000001D74000-0x0000000001D76000-memory.dmpFilesize
8KB
-
memory/1588-142-0x0000000001D76000-0x0000000001D77000-memory.dmpFilesize
4KB
-
memory/1588-140-0x0000000001D72000-0x0000000001D74000-memory.dmpFilesize
8KB
-
memory/1588-137-0x0000000001A60000-0x0000000001A66000-memory.dmpFilesize
24KB
-
memory/1608-57-0x000000001A8E0000-0x000000001A8E2000-memory.dmpFilesize
8KB
-
memory/1608-55-0x0000000000220000-0x00000000002D2000-memory.dmpFilesize
712KB
-
memory/1608-56-0x0000000000220000-0x00000000002D2000-memory.dmpFilesize
712KB
-
memory/1624-104-0x000000000279B000-0x00000000027BA000-memory.dmpFilesize
124KB
-
memory/1624-103-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/1624-100-0x0000000002790000-0x0000000002792000-memory.dmpFilesize
8KB
-
memory/1624-95-0x0000000000000000-mapping.dmp
-
memory/1624-101-0x0000000002792000-0x0000000002794000-memory.dmpFilesize
8KB
-
memory/1624-98-0x000007FEED080000-0x000007FEEDBDD000-memory.dmpFilesize
11.4MB
-
memory/1624-102-0x0000000002794000-0x0000000002797000-memory.dmpFilesize
12KB
-
memory/1676-93-0x0000000002724000-0x0000000002727000-memory.dmpFilesize
12KB
-
memory/1676-94-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1676-99-0x000000000272B000-0x000000000274A000-memory.dmpFilesize
124KB
-
memory/1676-85-0x000007FEECFF0000-0x000007FEEDB4D000-memory.dmpFilesize
11.4MB
-
memory/1676-81-0x0000000000000000-mapping.dmp
-
memory/1676-82-0x000007FEFB731000-0x000007FEFB733000-memory.dmpFilesize
8KB
-
memory/1676-91-0x0000000002720000-0x0000000002722000-memory.dmpFilesize
8KB
-
memory/1676-92-0x0000000002722000-0x0000000002724000-memory.dmpFilesize
8KB
-
memory/1712-67-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/1712-60-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/1712-74-0x0000000000CA0000-0x0000000000CA1000-memory.dmpFilesize
4KB
-
memory/1712-73-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/1712-112-0x0000000000000000-mapping.dmp
-
memory/1712-71-0x0000000075AC1000-0x0000000075AC3000-memory.dmpFilesize
8KB
-
memory/1712-64-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/1712-63-0x000000000041BBCE-mapping.dmp
-
memory/1712-72-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/1712-58-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/1712-59-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/1712-70-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/1712-61-0x0000000000090000-0x00000000000B0000-memory.dmpFilesize
128KB
-
memory/1732-120-0x000000001B247000-0x000000001B248000-memory.dmpFilesize
4KB
-
memory/1732-119-0x000000001B246000-0x000000001B247000-memory.dmpFilesize
4KB
-
memory/1732-118-0x000000001B244000-0x000000001B246000-memory.dmpFilesize
8KB
-
memory/1732-117-0x000000001B242000-0x000000001B244000-memory.dmpFilesize
8KB
-
memory/1732-111-0x000000001B4B0000-0x000000001B6A2000-memory.dmpFilesize
1.9MB
-
memory/1732-110-0x000000001B4B0000-0x000000001B6A2000-memory.dmpFilesize
1.9MB
-
memory/1752-80-0x0000000000000000-mapping.dmp
-
memory/1756-106-0x0000000000000000-mapping.dmp
-
memory/1968-88-0x0000000001CD4000-0x0000000001CD6000-memory.dmpFilesize
8KB
-
memory/1968-90-0x0000000001CD7000-0x0000000001CD8000-memory.dmpFilesize
4KB
-
memory/1968-89-0x0000000001CD6000-0x0000000001CD7000-memory.dmpFilesize
4KB
-
memory/1968-87-0x0000000001CD2000-0x0000000001CD4000-memory.dmpFilesize
8KB
-
memory/1968-86-0x0000000000260000-0x0000000000452000-memory.dmpFilesize
1.9MB
-
memory/1968-79-0x000000001B210000-0x000000001B402000-memory.dmpFilesize
1.9MB
-
memory/1968-78-0x000000001B210000-0x000000001B402000-memory.dmpFilesize
1.9MB
-
memory/1996-122-0x00000000027F2000-0x00000000027F4000-memory.dmpFilesize
8KB
-
memory/1996-121-0x00000000027F0000-0x00000000027F2000-memory.dmpFilesize
8KB
-
memory/1996-116-0x000007FEECFF0000-0x000007FEEDB4D000-memory.dmpFilesize
11.4MB
-
memory/1996-113-0x0000000000000000-mapping.dmp
-
memory/1996-131-0x00000000027FB000-0x000000000281A000-memory.dmpFilesize
124KB
-
memory/1996-123-0x00000000027F4000-0x00000000027F7000-memory.dmpFilesize
12KB