Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
01-02-2022 17:07
Static task
static1
Behavioral task
behavioral1
Sample
b81f2f2d3c122a53a0c99f0b21e0ff79.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b81f2f2d3c122a53a0c99f0b21e0ff79.exe
Resource
win10v2004-en-20220113
General
-
Target
b81f2f2d3c122a53a0c99f0b21e0ff79.exe
-
Size
6.9MB
-
MD5
b81f2f2d3c122a53a0c99f0b21e0ff79
-
SHA1
9b7e2b6b3464b5130f05b10f170e07fc8356ad2e
-
SHA256
914cd602a58f69dd35dd207d8128807926a139f27f4d8b7b2b958041783bc10c
-
SHA512
51ca133984ade0dbf6d926185a948c13f421da2dbe23b51bb2df22fd3c4c153de593e993b497f97ea18ae9e4060a14a3cdb537c27bc2922483235d2563402c76
Malware Config
Extracted
redline
91.243.59.131:7171
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1668-105-0x0000000000400000-0x000000000046C000-memory.dmp family_redline behavioral1/memory/1668-104-0x0000000000400000-0x000000000046C000-memory.dmp family_redline behavioral1/memory/1668-106-0x0000000000400000-0x000000000046C000-memory.dmp family_redline behavioral1/memory/1668-108-0x0000000000400000-0x000000000046C000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 7 IoCs
Processes:
steal.exe123.exeRegHost.exeWindowsDefender.exeRegHost.exeRegHost.exeRegHost.exepid process 472 steal.exe 672 123.exe 1876 RegHost.exe 1132 WindowsDefender.exe 564 RegHost.exe 1580 RegHost.exe 564 RegHost.exe -
Processes:
resource yara_rule behavioral1/memory/1272-71-0x0000000140000000-0x000000014274C000-memory.dmp upx behavioral1/memory/1272-72-0x0000000140000000-0x000000014274C000-memory.dmp upx behavioral1/memory/1272-73-0x0000000140000000-0x000000014274C000-memory.dmp upx \Users\Admin\AppData\Local\Temp\WindowsDefender.exe upx C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe upx -
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
RegHost.exeRegHost.exeRegHost.exe123.exeRegHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 123.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion RegHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 123.exe -
Loads dropped DLL 15 IoCs
Processes:
b81f2f2d3c122a53a0c99f0b21e0ff79.exeexplorer.exeRegAsm.exeexplorer.exeexplorer.exepowershell.exeexplorer.exepid process 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe 1356 1076 explorer.exe 1076 explorer.exe 1668 RegAsm.exe 1300 explorer.exe 768 explorer.exe 1364 powershell.exe 1404 1404 1404 1404 1712 explorer.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\123.exe themida \Users\Admin\AppData\Local\Temp\123.exe themida \Users\Admin\AppData\Local\Temp\123.exe themida \Users\Admin\AppData\Local\Temp\123.exe themida behavioral1/memory/672-65-0x000000013FC80000-0x0000000140584000-memory.dmp themida behavioral1/memory/672-66-0x000000013FC80000-0x0000000140584000-memory.dmp themida behavioral1/memory/672-67-0x000000013FC80000-0x0000000140584000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\123.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/1876-89-0x000000013F900000-0x0000000140204000-memory.dmp themida behavioral1/memory/1876-90-0x000000013F900000-0x0000000140204000-memory.dmp themida behavioral1/memory/1876-91-0x000000013F900000-0x0000000140204000-memory.dmp themida \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/564-120-0x000000013F160000-0x000000013FA64000-memory.dmp themida behavioral1/memory/564-121-0x000000013F160000-0x000000013FA64000-memory.dmp themida behavioral1/memory/564-123-0x000000013F160000-0x000000013FA64000-memory.dmp themida behavioral1/memory/1364-138-0x00000000025B0000-0x00000000031FA000-memory.dmp themida \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida behavioral1/memory/1580-143-0x000000013FA20000-0x0000000140324000-memory.dmp themida behavioral1/memory/1580-144-0x000000013FA20000-0x0000000140324000-memory.dmp themida behavioral1/memory/1580-145-0x000000013FA20000-0x0000000140324000-memory.dmp themida \Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
123.exeRegHost.exeRegHost.exeRegHost.exeRegHost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" 123.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RegHost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\RegHost.exe" RegHost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
RegHost.exeRegHost.exeRegHost.exeRegHost.exe123.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RegHost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 123.exe -
Suspicious use of SetThreadContext 10 IoCs
Processes:
123.exeRegHost.exesteal.exeRegHost.exeRegHost.exeRegHost.exedescription pid process target process PID 672 set thread context of 1272 672 123.exe bfsvc.exe PID 672 set thread context of 1076 672 123.exe explorer.exe PID 1876 set thread context of 992 1876 RegHost.exe bfsvc.exe PID 472 set thread context of 1668 472 steal.exe RegAsm.exe PID 1876 set thread context of 1300 1876 RegHost.exe explorer.exe PID 564 set thread context of 816 564 RegHost.exe bfsvc.exe PID 564 set thread context of 768 564 RegHost.exe explorer.exe PID 1580 set thread context of 1648 1580 RegHost.exe bfsvc.exe PID 1580 set thread context of 1712 1580 RegHost.exe explorer.exe PID 564 set thread context of 1892 564 RegHost.exe bfsvc.exe -
Drops file in Program Files directory 1 IoCs
Processes:
WindowsDefender.exedescription ioc process File created C:\Program Files\Google\Chrome\Application\launcher.exe WindowsDefender.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RegAsm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RegAsm.exe -
Kills process with taskkill 3 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exepid process 1924 taskkill.exe 1700 taskkill.exe 948 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 46 IoCs
Processes:
explorer.exeRegAsm.exeexplorer.exeexplorer.exepowershell.exeexplorer.exepid process 1076 explorer.exe 1076 explorer.exe 1076 explorer.exe 1076 explorer.exe 1076 explorer.exe 1076 explorer.exe 1076 explorer.exe 1076 explorer.exe 1076 explorer.exe 1076 explorer.exe 1668 RegAsm.exe 1668 RegAsm.exe 1668 RegAsm.exe 1668 RegAsm.exe 1668 RegAsm.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 1300 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 1364 powershell.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 768 explorer.exe 1712 explorer.exe 1712 explorer.exe 1712 explorer.exe 1712 explorer.exe 1712 explorer.exe 1712 explorer.exe 1712 explorer.exe 1712 explorer.exe 1712 explorer.exe 1712 explorer.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
RegAsm.exetaskkill.exepowershell.exetaskkill.exetaskkill.exedescription pid process Token: SeDebugPrivilege 1668 RegAsm.exe Token: SeDebugPrivilege 948 taskkill.exe Token: SeDebugPrivilege 1364 powershell.exe Token: SeDebugPrivilege 1924 taskkill.exe Token: SeDebugPrivilege 1700 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
b81f2f2d3c122a53a0c99f0b21e0ff79.exe123.exeexplorer.exeRegHost.exesteal.exedescription pid process target process PID 1260 wrote to memory of 472 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe steal.exe PID 1260 wrote to memory of 472 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe steal.exe PID 1260 wrote to memory of 472 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe steal.exe PID 1260 wrote to memory of 472 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe steal.exe PID 1260 wrote to memory of 672 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe 123.exe PID 1260 wrote to memory of 672 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe 123.exe PID 1260 wrote to memory of 672 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe 123.exe PID 1260 wrote to memory of 672 1260 b81f2f2d3c122a53a0c99f0b21e0ff79.exe 123.exe PID 672 wrote to memory of 1272 672 123.exe bfsvc.exe PID 672 wrote to memory of 1272 672 123.exe bfsvc.exe PID 672 wrote to memory of 1272 672 123.exe bfsvc.exe PID 672 wrote to memory of 1272 672 123.exe bfsvc.exe PID 672 wrote to memory of 1272 672 123.exe bfsvc.exe PID 672 wrote to memory of 1272 672 123.exe bfsvc.exe PID 672 wrote to memory of 1272 672 123.exe bfsvc.exe PID 672 wrote to memory of 1272 672 123.exe bfsvc.exe PID 672 wrote to memory of 1272 672 123.exe bfsvc.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 672 wrote to memory of 1076 672 123.exe explorer.exe PID 1076 wrote to memory of 1876 1076 explorer.exe RegHost.exe PID 1076 wrote to memory of 1876 1076 explorer.exe RegHost.exe PID 1076 wrote to memory of 1876 1076 explorer.exe RegHost.exe PID 1876 wrote to memory of 992 1876 RegHost.exe bfsvc.exe PID 1876 wrote to memory of 992 1876 RegHost.exe bfsvc.exe PID 1876 wrote to memory of 992 1876 RegHost.exe bfsvc.exe PID 1876 wrote to memory of 992 1876 RegHost.exe bfsvc.exe PID 1876 wrote to memory of 992 1876 RegHost.exe bfsvc.exe PID 1876 wrote to memory of 992 1876 RegHost.exe bfsvc.exe PID 1876 wrote to memory of 992 1876 RegHost.exe bfsvc.exe PID 1876 wrote to memory of 992 1876 RegHost.exe bfsvc.exe PID 1876 wrote to memory of 992 1876 RegHost.exe bfsvc.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 1876 wrote to memory of 1300 1876 RegHost.exe explorer.exe PID 472 wrote to memory of 1668 472 steal.exe RegAsm.exe PID 472 wrote to memory of 1668 472 steal.exe RegAsm.exe PID 472 wrote to memory of 1668 472 steal.exe RegAsm.exe PID 472 wrote to memory of 1668 472 steal.exe RegAsm.exe PID 472 wrote to memory of 1668 472 steal.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b81f2f2d3c122a53a0c99f0b21e0ff79.exe"C:\Users\Admin\AppData\Local\Temp\b81f2f2d3c122a53a0c99f0b21e0ff79.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\steal.exeC:\Users\Admin\AppData\Local\Temp\steal.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe#cmd3⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exe"4⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /IM chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /IM chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -noexit -ExecutionPolicy Bypass -File C:\Users\Default\AppData\Local\Temp\upd.ps15⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -noexit -ExecutionPolicy Bypass -File C:\Users\Default\AppData\Local\Temp\upd.ps16⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /IM powershell.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /IM powershell.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c taskkill /f /IM cmd.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /IM cmd.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\123.exeC:\Users\Admin\AppData\Local\Temp\123.exe2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g223⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "qwe1" "Standard%20VGA%20Graphics%20Adapter" "ga" "etc"3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g225⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "qwe1" "Standard%20VGA%20Graphics%20Adapter" "ga" "etc"5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g227⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "qwe1" "Standard%20VGA%20Graphics%20Adapter" "ga" "etc"7⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"8⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g229⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "qwe1" "Standard%20VGA%20Graphics%20Adapter" "ga" "etc"9⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exe"10⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
-
C:\Windows\bfsvc.exeC:\Windows\bfsvc.exe --algo ETCHASH --pool eu1-etc.ethermine.org:4444 --user 0x7D77fc78A83E9c01b08b33584EccbB71d2dFcA12 --worker g2211⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe "qwe1" "Standard%20VGA%20Graphics%20Adapter" "ga" "etc"11⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\Application\launcher.exeMD5
b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
C:\Users\Admin\AppData\Local\Temp\123.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
C:\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
2536bc6692a942d2e87f45877aa1f54e
SHA1c5a910052ce3facd0fc2d4b8725f88c8a86687b6
SHA256e0551a15e4da35e27732aaad3c9b2a80f82c020067d1e5c7c3de9c91abe62fa0
SHA512e705606e9bcc6efa79718798d5451131229577b2a7bdc2f18792cd8d388e286fcdda10c461ff2d1cd71759042828e0b5bda0b8cbdd8e68622534e9aff2bd83ab
-
C:\Users\Admin\AppData\Local\Temp\steal.exeMD5
231147ca2fbb27db182411c726d9489e
SHA1540fac37b19f2361973f3771a9ce4453dd1d370f
SHA2569bee06359c7817269767dc482760caeb14644b9607bce3231bf6d1760342fb28
SHA512a5c0b320f292fd60c4556cf3c04d399cc17ce941dbee9aabc4b03d7f396a9a59c7212e818220f641223161605f73bf0d28010ea0bc1ed7e4306c1ef983dd7691
-
C:\Users\Admin\AppData\Local\Temp\steal.exeMD5
231147ca2fbb27db182411c726d9489e
SHA1540fac37b19f2361973f3771a9ce4453dd1d370f
SHA2569bee06359c7817269767dc482760caeb14644b9607bce3231bf6d1760342fb28
SHA512a5c0b320f292fd60c4556cf3c04d399cc17ce941dbee9aabc4b03d7f396a9a59c7212e818220f641223161605f73bf0d28010ea0bc1ed7e4306c1ef983dd7691
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
C:\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
C:\Users\Default\AppData\Local\Temp\upd.ps1MD5
d1c27dd8b4ff0b91cb1b912bf9479c4d
SHA1f1d6f19e9d938dd3b6a201f98ed8c76bd5c2fef7
SHA25662d6a28d2df837f8fdec3057178c2aa17336969008832a77602f6771561fe605
SHA512e2b164601307345c5f8eac1cbf70c8ed8919e4745fb2a79700729e211d84ae9ae8ee51139c8aadfe6dbc994e13310ab5ef20a4d02b3f9d68d51d65a63e32b3ae
-
\Program Files\Google\Chrome\Application\launcher.exeMD5
b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
\Program Files\Google\Chrome\Application\launcher.exeMD5
b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
\Program Files\Google\Chrome\Application\launcher.exeMD5
b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
\Program Files\Google\Chrome\Application\launcher.exeMD5
b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
\Program Files\Google\Chrome\Application\launcher.exeMD5
b555ce6924de8b22121d29a6a153d3fa
SHA149e5a197e7e4e5bded33820a55ab664c370c9794
SHA2560c6a37537be50d03c4c7d7fb1d64e881a2c363185712a1c0e1e2c86f2faf3f19
SHA5121109aa9a26c2baec61fba873e4e27bbc4871e88366301dc32b7fd7383ea83da6d32ab8173db66c211b1ef3e334e1427370da19d77da8b804a71118bdbe35a1e0
-
\Users\Admin\AppData\Local\Temp\123.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
\Users\Admin\AppData\Local\Temp\123.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
\Users\Admin\AppData\Local\Temp\123.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
\Users\Admin\AppData\Local\Temp\WindowsDefender.exeMD5
2536bc6692a942d2e87f45877aa1f54e
SHA1c5a910052ce3facd0fc2d4b8725f88c8a86687b6
SHA256e0551a15e4da35e27732aaad3c9b2a80f82c020067d1e5c7c3de9c91abe62fa0
SHA512e705606e9bcc6efa79718798d5451131229577b2a7bdc2f18792cd8d388e286fcdda10c461ff2d1cd71759042828e0b5bda0b8cbdd8e68622534e9aff2bd83ab
-
\Users\Admin\AppData\Local\Temp\steal.exeMD5
231147ca2fbb27db182411c726d9489e
SHA1540fac37b19f2361973f3771a9ce4453dd1d370f
SHA2569bee06359c7817269767dc482760caeb14644b9607bce3231bf6d1760342fb28
SHA512a5c0b320f292fd60c4556cf3c04d399cc17ce941dbee9aabc4b03d7f396a9a59c7212e818220f641223161605f73bf0d28010ea0bc1ed7e4306c1ef983dd7691
-
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
\Users\Admin\AppData\Roaming\Microsoft\RegHost.exeMD5
f18bb590bdf69d8571ad7da70faa921b
SHA147f58cf547153e5fc89165fbd83b118c51793569
SHA2560d276de3a1e7ef5de4f770d84735afacbc771c35118d46e1cecb49d1eedaec69
SHA512fd2052b58297a2a2aa8ebd2a7d85f0abfff7db7fa601c3cebd29198e085e14aeda2615de3a8104112f038c975e1329c1bd4d5542d89bc136eb222e1955933817
-
memory/472-60-0x0000000000FF0000-0x0000000000FF1000-memory.dmpFilesize
4KB
-
memory/472-58-0x00000000010B0000-0x0000000001218000-memory.dmpFilesize
1.4MB
-
memory/564-121-0x000000013F160000-0x000000013FA64000-memory.dmpFilesize
9.0MB
-
memory/564-120-0x000000013F160000-0x000000013FA64000-memory.dmpFilesize
9.0MB
-
memory/564-123-0x000000013F160000-0x000000013FA64000-memory.dmpFilesize
9.0MB
-
memory/672-67-0x000000013FC80000-0x0000000140584000-memory.dmpFilesize
9.0MB
-
memory/672-66-0x000000013FC80000-0x0000000140584000-memory.dmpFilesize
9.0MB
-
memory/672-65-0x000000013FC80000-0x0000000140584000-memory.dmpFilesize
9.0MB
-
memory/1076-79-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1076-76-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1076-77-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1076-78-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1076-84-0x000007FEFC081000-0x000007FEFC083000-memory.dmpFilesize
8KB
-
memory/1076-81-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1076-82-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1076-80-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1076-74-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1076-75-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1076-83-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1132-122-0x0000000000230000-0x0000000000231000-memory.dmpFilesize
4KB
-
memory/1260-54-0x0000000075D61000-0x0000000075D63000-memory.dmpFilesize
8KB
-
memory/1272-72-0x0000000140000000-0x000000014274C000-memory.dmpFilesize
39.3MB
-
memory/1272-69-0x0000000140000000-0x000000014274C000-memory.dmpFilesize
39.3MB
-
memory/1272-71-0x0000000140000000-0x000000014274C000-memory.dmpFilesize
39.3MB
-
memory/1272-73-0x0000000140000000-0x000000014274C000-memory.dmpFilesize
39.3MB
-
memory/1300-119-0x0000000140000000-0x000000014002A000-memory.dmpFilesize
168KB
-
memory/1364-138-0x00000000025B0000-0x00000000031FA000-memory.dmpFilesize
12.3MB
-
memory/1364-142-0x00000000025B0000-0x00000000031FA000-memory.dmpFilesize
12.3MB
-
memory/1580-145-0x000000013FA20000-0x0000000140324000-memory.dmpFilesize
9.0MB
-
memory/1580-143-0x000000013FA20000-0x0000000140324000-memory.dmpFilesize
9.0MB
-
memory/1580-144-0x000000013FA20000-0x0000000140324000-memory.dmpFilesize
9.0MB
-
memory/1668-106-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1668-105-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1668-103-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1668-102-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1668-104-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1668-108-0x0000000000400000-0x000000000046C000-memory.dmpFilesize
432KB
-
memory/1668-109-0x0000000004F80000-0x0000000004F81000-memory.dmpFilesize
4KB
-
memory/1876-91-0x000000013F900000-0x0000000140204000-memory.dmpFilesize
9.0MB
-
memory/1876-90-0x000000013F900000-0x0000000140204000-memory.dmpFilesize
9.0MB
-
memory/1876-89-0x000000013F900000-0x0000000140204000-memory.dmpFilesize
9.0MB