redline | 58484d3924b8c496a925660742b55da793ec4048765edf87c3116e5fb34ebeae

Analysis

max time kernel
156s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
16-02-2022 22:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

09637f910840cebb2f1e2524414c8d62.exe
Size

5.9MB
MD5

09637f910840cebb2f1e2524414c8d62
SHA1

f31516f4e0008dd5dea7f85722488a9db7007e43
SHA256

58484d3924b8c496a925660742b55da793ec4048765edf87c3116e5fb34ebeae
SHA512

9498b20333ca822c88358aa773475bd7604b2e1905417d078014ed41b084e2ab28a1ce197bc4e74aa49b3f2659d051cf803fd98ce9115442654c20b96c837a2c

Score

10^/10

redline fsdfsd test1 discovery evasion infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

TEST1

86.107.197.196:63065

Attributes

auth_value
27ffc688a5404c680b9ac629d48e2917

Extracted

Family

redline

Botnet

fsdfsd

86.107.197.196:63065

Attributes

auth_value
b81e14f18d963d6a399900f4e9593719

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

Processes:

resource	yara_rule
C:\Windows\1645050207.exe	family_redline
C:\Windows\1645050207.exe	family_redline
behavioral2/memory/3612-146-0x00000000001A0000-0x00000000001C0000-memory.dmp	family_redline
C:\Windows\1645050221.exe	family_redline
C:\Windows\1645050221.exe	family_redline
behavioral2/memory/220-155-0x0000000000A50000-0x0000000000A70000-memory.dmp	family_redline

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

09637f910840cebb2f1e2524414c8d62.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts 09637f910840cebb2f1e2524414c8d62.exe
Executes dropped EXE 7 IoCs

Processes:

1645050207.exe1645050221.exe1645050225.exe1645050231.exe1645050250.exe1645050260.exe1645050315.exe

pid process

3612 1645050207.exe
220 1645050221.exe
1000 1645050225.exe
4720 1645050231.exe
5032 1645050250.exe
3576 1645050260.exe
3496 1645050315.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031
Sets file to hidden 1 TTPs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1158
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	09637f910840cebb2f1e2524414c8d62.exe

pid	process
3612	1645050207.exe
220	1645050221.exe
1000	1645050225.exe
4720	1645050231.exe
5032	1645050250.exe
3576	1645050260.exe
3496	1645050315.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

09637f910840cebb2f1e2524414c8d62.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\svchost.exe"	09637f910840cebb2f1e2524414c8d62.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 16 IoCs

Processes:

attrib.exe09637f910840cebb2f1e2524414c8d62.exesvchost.exeTiWorker.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.exe	attrib.exe
File created	C:\Windows\1645050207.exe	09637f910840cebb2f1e2524414c8d62.exe
File created	C:\Windows\1645050221.exe	09637f910840cebb2f1e2524414c8d62.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File created	C:\Windows\1645050225.exe	09637f910840cebb2f1e2524414c8d62.exe
File created	C:\Windows\1645050231.exe	09637f910840cebb2f1e2524414c8d62.exe
File created	C:\Windows\1645050315.exe	09637f910840cebb2f1e2524414c8d62.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File created	C:\Windows\1645050250.exe	09637f910840cebb2f1e2524414c8d62.exe
File created	C:\Windows\1645050260.exe	09637f910840cebb2f1e2524414c8d62.exe

Program crash 10 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1156	1000	WerFault.exe	1645050225.exe
1072	1000	WerFault.exe	1645050225.exe
2128	4720	WerFault.exe	1645050231.exe
4844	4720	WerFault.exe	1645050231.exe
3536	5032	WerFault.exe	1645050250.exe
1980	5032	WerFault.exe	1645050250.exe
4736	3576	WerFault.exe	1645050260.exe
2624	3576	WerFault.exe	1645050260.exe
4756	3496	WerFault.exe	1645050315.exe
3212	3496	WerFault.exe	1645050315.exe

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4316 ipconfig.exe
GoLang User-Agent 2 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 18 Go-http-client/1.1
HTTP User-Agent header 44 Go-http-client/1.1
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe1645050207.exe1645050221.exe

pid process

936 powershell.exe
936 powershell.exe
4864 powershell.exe
4864 powershell.exe
3612 1645050207.exe
220 1645050221.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

cmd.exe

pid process

1952 cmd.exe

pid	process
4316	ipconfig.exe

description	flow	ioc
HTTP User-Agent header	18	Go-http-client/1.1
HTTP User-Agent header	44	Go-http-client/1.1

pid	process
936	powershell.exe
936	powershell.exe
4864	powershell.exe
4864	powershell.exe
3612	1645050207.exe
220	1645050221.exe

pid	process
1952	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exewhoami.exewhoami.exeWMIC.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2876	whoami.exe
Token: SeDebugPrivilege	4544	whoami.exe
Token: SeIncreaseQuotaPrivilege	3580	WMIC.exe
Token: SeSecurityPrivilege	3580	WMIC.exe
Token: SeTakeOwnershipPrivilege	3580	WMIC.exe
Token: SeLoadDriverPrivilege	3580	WMIC.exe
Token: SeSystemProfilePrivilege	3580	WMIC.exe
Token: SeSystemtimePrivilege	3580	WMIC.exe
Token: SeProfSingleProcessPrivilege	3580	WMIC.exe
Token: SeIncBasePriorityPrivilege	3580	WMIC.exe
Token: SeCreatePagefilePrivilege	3580	WMIC.exe
Token: SeBackupPrivilege	3580	WMIC.exe
Token: SeRestorePrivilege	3580	WMIC.exe
Token: SeShutdownPrivilege	3580	WMIC.exe
Token: SeDebugPrivilege	3580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3580	WMIC.exe
Token: SeRemoteShutdownPrivilege	3580	WMIC.exe
Token: SeUndockPrivilege	3580	WMIC.exe
Token: SeManageVolumePrivilege	3580	WMIC.exe
Token: 33	3580	WMIC.exe
Token: 34	3580	WMIC.exe
Token: 35	3580	WMIC.exe
Token: 36	3580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3580	WMIC.exe
Token: SeSecurityPrivilege	3580	WMIC.exe
Token: SeTakeOwnershipPrivilege	3580	WMIC.exe
Token: SeLoadDriverPrivilege	3580	WMIC.exe
Token: SeSystemProfilePrivilege	3580	WMIC.exe
Token: SeSystemtimePrivilege	3580	WMIC.exe
Token: SeProfSingleProcessPrivilege	3580	WMIC.exe
Token: SeIncBasePriorityPrivilege	3580	WMIC.exe
Token: SeCreatePagefilePrivilege	3580	WMIC.exe
Token: SeBackupPrivilege	3580	WMIC.exe
Token: SeRestorePrivilege	3580	WMIC.exe
Token: SeShutdownPrivilege	3580	WMIC.exe
Token: SeDebugPrivilege	3580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3580	WMIC.exe
Token: SeRemoteShutdownPrivilege	3580	WMIC.exe
Token: SeUndockPrivilege	3580	WMIC.exe
Token: SeManageVolumePrivilege	3580	WMIC.exe
Token: 33	3580	WMIC.exe
Token: 34	3580	WMIC.exe
Token: 35	3580	WMIC.exe
Token: 36	3580	WMIC.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeIncreaseQuotaPrivilege	3200	WMIC.exe
Token: SeSecurityPrivilege	3200	WMIC.exe
Token: SeTakeOwnershipPrivilege	3200	WMIC.exe
Token: SeLoadDriverPrivilege	3200	WMIC.exe
Token: SeSystemProfilePrivilege	3200	WMIC.exe
Token: SeSystemtimePrivilege	3200	WMIC.exe
Token: SeProfSingleProcessPrivilege	3200	WMIC.exe
Token: SeIncBasePriorityPrivilege	3200	WMIC.exe
Token: SeCreatePagefilePrivilege	3200	WMIC.exe
Token: SeBackupPrivilege	3200	WMIC.exe
Token: SeRestorePrivilege	3200	WMIC.exe
Token: SeShutdownPrivilege	3200	WMIC.exe
Token: SeDebugPrivilege	3200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3200	WMIC.exe
Token: SeRemoteShutdownPrivilege	3200	WMIC.exe
Token: SeUndockPrivilege	3200	WMIC.exe
Token: SeManageVolumePrivilege	3200	WMIC.exe
Token: 33	3200	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

09637f910840cebb2f1e2524414c8d62.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4980 wrote to memory of 2568	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 2568	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 1952	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 1952	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 2568 wrote to memory of 936	2568	cmd.exe	powershell.exe
PID 2568 wrote to memory of 936	2568	cmd.exe	powershell.exe
PID 4980 wrote to memory of 4584	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 4584	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4584 wrote to memory of 2432	4584	cmd.exe	netsh.exe
PID 4584 wrote to memory of 2432	4584	cmd.exe	netsh.exe
PID 4980 wrote to memory of 4004	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 4004	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4004 wrote to memory of 2876	4004	cmd.exe	whoami.exe
PID 4004 wrote to memory of 2876	4004	cmd.exe	whoami.exe
PID 4980 wrote to memory of 4352	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 4352	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4352 wrote to memory of 4544	4352	cmd.exe	whoami.exe
PID 4352 wrote to memory of 4544	4352	cmd.exe	whoami.exe
PID 4980 wrote to memory of 4444	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 4444	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 3708	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 3708	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 3564	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 3564	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4444 wrote to memory of 3580	4444	cmd.exe	WMIC.exe
PID 4444 wrote to memory of 3580	4444	cmd.exe	WMIC.exe
PID 3564 wrote to memory of 4684	3564	cmd.exe	reg.exe
PID 3564 wrote to memory of 4684	3564	cmd.exe	reg.exe
PID 3708 wrote to memory of 4316	3708	cmd.exe	ipconfig.exe
PID 3708 wrote to memory of 4316	3708	cmd.exe	ipconfig.exe
PID 4980 wrote to memory of 4552	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 4552	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 1040	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 1040	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4552 wrote to memory of 1964	4552	cmd.exe	attrib.exe
PID 4552 wrote to memory of 1964	4552	cmd.exe	attrib.exe
PID 1040 wrote to memory of 4864	1040	cmd.exe	powershell.exe
PID 1040 wrote to memory of 4864	1040	cmd.exe	powershell.exe
PID 4980 wrote to memory of 4948	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 4948	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4948 wrote to memory of 3200	4948	cmd.exe	WMIC.exe
PID 4948 wrote to memory of 3200	4948	cmd.exe	WMIC.exe
PID 4980 wrote to memory of 632	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 632	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 1448	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 1448	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 1448 wrote to memory of 2012	1448	cmd.exe	WMIC.exe
PID 1448 wrote to memory of 2012	1448	cmd.exe	WMIC.exe
PID 4980 wrote to memory of 4300	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 4300	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4300 wrote to memory of 3612	4300	cmd.exe	1645050207.exe
PID 4300 wrote to memory of 3612	4300	cmd.exe	1645050207.exe
PID 4300 wrote to memory of 3612	4300	cmd.exe	1645050207.exe
PID 4980 wrote to memory of 2260	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 2260	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 2260 wrote to memory of 220	2260	cmd.exe	1645050221.exe
PID 2260 wrote to memory of 220	2260	cmd.exe	1645050221.exe
PID 2260 wrote to memory of 220	2260	cmd.exe	1645050221.exe
PID 4980 wrote to memory of 4368	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4980 wrote to memory of 4368	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe
PID 4368 wrote to memory of 1000	4368	cmd.exe	1645050225.exe
PID 4368 wrote to memory of 1000	4368	cmd.exe	1645050225.exe
PID 4368 wrote to memory of 1000	4368	cmd.exe	1645050225.exe
PID 4980 wrote to memory of 1276	4980	09637f910840cebb2f1e2524414c8d62.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1964 attrib.exe

pid	process
1964	attrib.exe

C:\Users\Admin\AppData\Local\Temp\09637f910840cebb2f1e2524414c8d62.exe
"C:\Users\Admin\AppData\Local\Temp\09637f910840cebb2f1e2524414c8d62.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4980

C:\Windows\system32\cmd.exe
cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"
2⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\cmd.exe
cmd /Q /C move /Y C:\Users\Admin\AppData\Local\Temp\09637f910840cebb2f1e2524414c8d62.exe C:\Windows\svchost.exe
2⤵
- Suspicious behavior: RenamesItself
PID:1952

C:\Windows\system32\cmd.exe
cmd /C "netsh advfirewall firewall add rule name=\"svchost\" dir=in action=allow program=\"C:\Users\Admin\AppData\Local\Temp\09637f910840cebb2f1e2524414c8d62.exe\" enable=yes"
2⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name=\"svchost\" dir=in action=allow program=\"C:\Users\Admin\AppData\Local\Temp\09637f910840cebb2f1e2524414c8d62.exe\" enable=yes
3⤵
PID:2432

C:\Windows\system32\cmd.exe
cmd /C whoami
2⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\cmd.exe
cmd /C whoami
2⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:4444

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\system32\cmd.exe
cmd /C "ipconfig //flushdns"
2⤵
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\system32\ipconfig.exe
ipconfig //flushdns
3⤵
- Gathers network information
PID:4316

C:\Windows\system32\cmd.exe
cmd /Q /C reg add "HKCU\Software\Client-Server Runtime Subsystem" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Client-Server Runtime Subsystem" /f
3⤵
PID:4684

C:\Windows\system32\cmd.exe
cmd /C "powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft"
2⤵
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming\Microsoft
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\system32\cmd.exe
cmd /C "attrib +S +H C:\Windows\svchost.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4552

C:\Windows\system32\attrib.exe
attrib +S +H C:\Windows\svchost.exe
3⤵
- Drops file in Windows directory
- Views/modifies file attributes
PID:1964

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:4948

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3200

C:\Windows\system32\cmd.exe
cmd /C ver
2⤵
PID:632

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
2⤵
- Suspicious use of WriteProcessMemory
PID:1448

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
3⤵
PID:2012

C:\Windows\system32\cmd.exe
cmd /C start C:\Windows\1645050207.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4300

C:\Windows\1645050207.exe
C:\Windows\1645050207.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Windows\system32\cmd.exe
cmd /C start C:\Windows\1645050221.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\1645050221.exe
C:\Windows\1645050221.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:220

C:\Windows\system32\cmd.exe
cmd /C start C:\Windows\1645050225.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\1645050225.exe
C:\Windows\1645050225.exe
3⤵
- Executes dropped EXE
PID:1000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 460
4⤵
- Program crash
PID:1156

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 472
4⤵
- Program crash
PID:1072

C:\Windows\system32\cmd.exe
cmd /C start C:\Windows\1645050231.exe
2⤵
PID:1276

C:\Windows\1645050231.exe
C:\Windows\1645050231.exe
3⤵
- Executes dropped EXE
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 460
4⤵
- Program crash
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4720 -s 472
4⤵
- Program crash
PID:4844

C:\Windows\system32\cmd.exe
cmd /C start C:\Windows\1645050250.exe
2⤵
PID:1712

C:\Windows\1645050250.exe
C:\Windows\1645050250.exe
3⤵
- Executes dropped EXE
PID:5032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 464
4⤵
- Program crash
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 472
4⤵
- Program crash
PID:1980

C:\Windows\system32\cmd.exe
cmd /C start C:\Windows\1645050260.exe
2⤵
PID:1616

C:\Windows\1645050260.exe
C:\Windows\1645050260.exe
3⤵
- Executes dropped EXE
PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 464
4⤵
- Program crash
PID:4736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3576 -s 472
4⤵
- Program crash
PID:2624

C:\Windows\system32\cmd.exe
cmd /C start C:\Windows\1645050315.exe
2⤵
PID:4156

C:\Windows\1645050315.exe
C:\Windows\1645050315.exe
3⤵
- Executes dropped EXE
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 464
4⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 472
4⤵
- Program crash
PID:3212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1000 -ip 1000
1⤵
PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1000 -ip 1000
1⤵
PID:1228

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4720 -ip 4720
1⤵
PID:4216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4720 -ip 4720
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 5032 -ip 5032
1⤵
PID:3668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5032 -ip 5032
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3576 -ip 3576
1⤵
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3576 -ip 3576
1⤵
PID:1312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3496 -ip 3496
1⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3496 -ip 3496
1⤵
PID:4456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Modify Existing Service

T1031

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Windows\1645050207.exe
MD5
00ebce36f199dc5197076c464a284ac8

SHA1
f4b97ed60da777cafab359696159fab854224db0

SHA256
56453d38f9c815ecab89a08b0ee3f81a8d527a351ca9ca4d8d7434f87d36e5a0

SHA512
7de0a638ab078012069508594db720123be78e76b53a869a055f32dc6932b4314f79ab6e1bdfe4bbc80b996982226a74c5b691df858bf4ab9af1b5c26e8b72b2

Download Submit
C:\Windows\1645050207.exe
MD5
00ebce36f199dc5197076c464a284ac8

SHA1
f4b97ed60da777cafab359696159fab854224db0

SHA256
56453d38f9c815ecab89a08b0ee3f81a8d527a351ca9ca4d8d7434f87d36e5a0

SHA512
7de0a638ab078012069508594db720123be78e76b53a869a055f32dc6932b4314f79ab6e1bdfe4bbc80b996982226a74c5b691df858bf4ab9af1b5c26e8b72b2

Download Submit
C:\Windows\1645050221.exe
MD5
78e67816881008dcfa36a17d91544154

SHA1
fb23c8bef4ed1e8e5d92995ac519e62b451fcc80

SHA256
ab02d5dc06f89343a20a4da5aa424c8cb766592271764e1a3b0d4ae9928c3729

SHA512
618316c3a4a40c6a8e7f4e958899c67b8d9bde4e46293b3eb44f6784e7802eb084b118b1435ba4265836065be077efe89602b8c0d7a68a74ce082f11c6194f18

Download Submit
C:\Windows\1645050221.exe
MD5
78e67816881008dcfa36a17d91544154

SHA1
fb23c8bef4ed1e8e5d92995ac519e62b451fcc80

SHA256
ab02d5dc06f89343a20a4da5aa424c8cb766592271764e1a3b0d4ae9928c3729

SHA512
618316c3a4a40c6a8e7f4e958899c67b8d9bde4e46293b3eb44f6784e7802eb084b118b1435ba4265836065be077efe89602b8c0d7a68a74ce082f11c6194f18

Download Submit
C:\Windows\1645050225.exe
MD5
9e41c1ff5349b13107a32955121b23ee

SHA1
3989c15345f12accd812962393488ff52d221be3

SHA256
dd33bf66fb78dd738965c8fb1602e16bb6df43972b25b18ec8671cfb5d313e3e

SHA512
d2574b193e52671b142cf4cecd54198565fcc833f5b7e9218c529ca24182c1e2f6b4f1f685f2e2be052e074caf095be607081a5f59b188a51e596b40dd372a0a

Download Submit
C:\Windows\1645050225.exe
MD5
9e41c1ff5349b13107a32955121b23ee

SHA1
3989c15345f12accd812962393488ff52d221be3

SHA256
dd33bf66fb78dd738965c8fb1602e16bb6df43972b25b18ec8671cfb5d313e3e

SHA512
d2574b193e52671b142cf4cecd54198565fcc833f5b7e9218c529ca24182c1e2f6b4f1f685f2e2be052e074caf095be607081a5f59b188a51e596b40dd372a0a

Download Submit
C:\Windows\1645050231.exe
MD5
26b6216f36108497b43d0dcacc3d15dc

SHA1
69b1ad6c06a73af6b0874f96eb98e299b1684b08

SHA256
b8aa85756d14ab9e7060769791af2a67589bb8e001202d171fe3d2b2274341b0

SHA512
018acac48bb09263883dd3855bd20af81be7961e6071abde6aed86699e2ad550860ad3d33f6c6a46766431c1446f64a1f93e3d73bcf036c5364661e6425db79b

Download Submit
C:\Windows\1645050231.exe
MD5
26b6216f36108497b43d0dcacc3d15dc

SHA1
69b1ad6c06a73af6b0874f96eb98e299b1684b08

SHA256
b8aa85756d14ab9e7060769791af2a67589bb8e001202d171fe3d2b2274341b0

SHA512
018acac48bb09263883dd3855bd20af81be7961e6071abde6aed86699e2ad550860ad3d33f6c6a46766431c1446f64a1f93e3d73bcf036c5364661e6425db79b

Download Submit
C:\Windows\1645050250.exe
MD5
86a3aea2943811ace47365f8278b5fc8

SHA1
d1429fedd58c2d9e399335fcd77063b3b069c724

SHA256
012596c525fa03a0a044a425411fa3a31bdab47202042a171c4ead6f4766c774

SHA512
2dd7b07a5d494b4b6cc7117e4b1c8f9d59cb6cbb49145a65c13283cab5b82d5e0d5db301d50fbc7c491b92f1a58c4e0e7c7643aea1687f5a1c30e13d84cc8278

Download Submit
C:\Windows\1645050250.exe
MD5
86a3aea2943811ace47365f8278b5fc8

SHA1
d1429fedd58c2d9e399335fcd77063b3b069c724

SHA256
012596c525fa03a0a044a425411fa3a31bdab47202042a171c4ead6f4766c774

SHA512
2dd7b07a5d494b4b6cc7117e4b1c8f9d59cb6cbb49145a65c13283cab5b82d5e0d5db301d50fbc7c491b92f1a58c4e0e7c7643aea1687f5a1c30e13d84cc8278

Download Submit
C:\Windows\1645050260.exe
MD5
38a65581d4a6d84758a7f59f02c0c154

SHA1
45f3cb99f6a6bd2c3316b3732b9450d51cf70ba7

SHA256
e09ab3617ce3ae14b096d378af75199c1102425808787a28f63e57cf89fb0aec

SHA512
fc63660551e15a76dc192d9afd382d6df81989ec926e0e82cc6ebfd8ed53b52988b69ef8367603fa9b91bd85a95399f4aa4dd0e89aae0f9961dbd1ea27bbb8f8

Download Submit
C:\Windows\1645050260.exe
MD5
38a65581d4a6d84758a7f59f02c0c154

SHA1
45f3cb99f6a6bd2c3316b3732b9450d51cf70ba7

SHA256
e09ab3617ce3ae14b096d378af75199c1102425808787a28f63e57cf89fb0aec

SHA512
fc63660551e15a76dc192d9afd382d6df81989ec926e0e82cc6ebfd8ed53b52988b69ef8367603fa9b91bd85a95399f4aa4dd0e89aae0f9961dbd1ea27bbb8f8

Download Submit
C:\Windows\1645050315.exe
MD5
77a7d81463b497540b9b10658d25c19a

SHA1
e8f972ad175df15313f5746af657bc6b4d2f7f8f

SHA256
d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457

SHA512
be009c01b9348d7575975d0f7470ad03d29e0ebb55ad6bdd317763fed574cead114bd060d618a9df9aa34bbb0e74eabbbcb302255b872c58bf68078866cfb5f1

Download Submit
C:\Windows\1645050315.exe
MD5
77a7d81463b497540b9b10658d25c19a

SHA1
e8f972ad175df15313f5746af657bc6b4d2f7f8f

SHA256
d18fcd892cfdce30de3d7ff4f594ffac1e28867905f94afd586c6fff83b63457

SHA512
be009c01b9348d7575975d0f7470ad03d29e0ebb55ad6bdd317763fed574cead114bd060d618a9df9aa34bbb0e74eabbbcb302255b872c58bf68078866cfb5f1

Download Submit
memory/220-170-0x0000000007830000-0x0000000007D5C000-memory.dmp

Filesize
5.2MB

Download
memory/220-157-0x00000000056A0000-0x00000000056A1000-memory.dmp

Filesize
4KB

Download
memory/220-156-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/220-155-0x0000000000A50000-0x0000000000A70000-memory.dmp

Filesize
128KB

Download
memory/220-169-0x0000000006F50000-0x0000000007112000-memory.dmp

Filesize
1.8MB

Download
memory/936-130-0x000001B9B7060000-0x000001B9B7082000-memory.dmp

Filesize
136KB

Download
memory/936-131-0x00007FFD3A9F3000-0x00007FFD3A9F5000-memory.dmp

Filesize
8KB

Download
memory/936-132-0x000001B9B70A0000-0x000001B9B70A2000-memory.dmp

Filesize
8KB

Download
memory/936-134-0x000001B9B70A6000-0x000001B9B70A8000-memory.dmp

Filesize
8KB

Download
memory/936-133-0x000001B9B70A3000-0x000001B9B70A5000-memory.dmp

Filesize
8KB

Download
memory/1000-165-0x00000000024A0000-0x0000000002500000-memory.dmp

Filesize
384KB

Download
memory/1660-141-0x000001D652420000-0x000001D652430000-memory.dmp

Filesize
64KB

Download
memory/1660-142-0x000001D652480000-0x000001D652490000-memory.dmp

Filesize
64KB

Download
memory/1660-143-0x000001D654B40000-0x000001D654B44000-memory.dmp

Filesize
16KB

Download
memory/3496-179-0x0000000000B10000-0x0000000000B70000-memory.dmp

Filesize
384KB

Download
memory/3576-176-0x0000000002600000-0x0000000002660000-memory.dmp

Filesize
384KB

Download
memory/3612-150-0x0000000004C60000-0x0000000004D6A000-memory.dmp

Filesize
1.0MB

Download
memory/3612-151-0x0000000004B90000-0x0000000004BCC000-memory.dmp

Filesize
240KB

Download
memory/3612-161-0x00000000057E0000-0x00000000057FE000-memory.dmp

Filesize
120KB

Download
memory/3612-160-0x0000000005C90000-0x0000000006234000-memory.dmp

Filesize
5.6MB

Download
memory/3612-159-0x0000000004FF0000-0x0000000005082000-memory.dmp

Filesize
584KB

Download
memory/3612-158-0x0000000004ED0000-0x0000000004F46000-memory.dmp

Filesize
472KB

Download
memory/3612-146-0x00000000001A0000-0x00000000001C0000-memory.dmp

Filesize
128KB

Download
memory/3612-147-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

Filesize
4KB

Download
memory/3612-152-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/3612-163-0x00000000058D0000-0x0000000005936000-memory.dmp

Filesize
408KB

Download
memory/3612-148-0x00000000050C0000-0x00000000056D8000-memory.dmp

Filesize
6.1MB

Download
memory/3612-149-0x0000000004B30000-0x0000000004B42000-memory.dmp

Filesize
72KB

Download
memory/4720-168-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4864-140-0x00000176BDA56000-0x00000176BDA58000-memory.dmp

Filesize
8KB

Download
memory/4864-137-0x00007FFD3A7C3000-0x00007FFD3A7C5000-memory.dmp

Filesize
8KB

Download
memory/4864-138-0x00000176BDA50000-0x00000176BDA52000-memory.dmp

Filesize
8KB

Download
memory/4864-139-0x00000176BDA53000-0x00000176BDA55000-memory.dmp

Filesize
8KB

Download
memory/5032-173-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download