redline | 23af733a95426c2ba12f205acbdc6516ab4a12579b5de3a66d45a688a37e1d95

General

Target

XFT-21062-22.exe
Size

829KB
MD5

d733380b2e13ba9a8c2fb23a770a56e7
SHA1

53145071b9a816bd76372351bb0b9aeffd25d864
SHA256

23af733a95426c2ba12f205acbdc6516ab4a12579b5de3a66d45a688a37e1d95
SHA512

027f3cff826eafbca9a0f5aad4f44b4ba94aa55886279c504fc03fcd78f97ba7a93832f719a5b2ebcbb2f0d6c03804adf72697b6c29ca20a0b14115def6945c4

Score

10^/10

redline billy discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

billy

C2

45.133.174.87:15028

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2600-157-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Windows security bypass 2 TTPs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

XFT-21062-22.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\Control Panel\International\Geo\Nation	XFT-21062-22.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

XFT-21062-22.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	XFT-21062-22.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	XFT-21062-22.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe = "0"	XFT-21062-22.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe = "0"	XFT-21062-22.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

XFT-21062-22.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\XjWI7nd1DG9qJRc39 = "C:\\Windows\\Cursors\\6zqC2hZrEtnwuWCRJ\\svchost.exe"	XFT-21062-22.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2403053463-4052593947-3703345493-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XjWI7nd1DG9qJRc39 = "C:\\Windows\\Cursors\\6zqC2hZrEtnwuWCRJ\\svchost.exe"	XFT-21062-22.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{1C1B0CC0-6A31-4E90-A2DB-9E914604E488}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{07489714-0400-4676-8763-22A09CBEF50E}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

XFT-21062-22.exe

description pid process target process

PID 2352 set thread context of 2600 2352 XFT-21062-22.exe XFT-21062-22.exe

description	pid	process	target process
PID 2352 set thread context of 2600	2352	XFT-21062-22.exe	XFT-21062-22.exe

Drops file in Windows directory 2 IoCs

Processes:

XFT-21062-22.exe

description	ioc	process
File created	C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe	XFT-21062-22.exe
File opened for modification	C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ	XFT-21062-22.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies data under HKEY_USERS 6 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\001840064ECE0D0C = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000b86af6a0a362240c633095893347f66cdbd317f7767669847ae867a6f2dc14cd000000000e80000000020000200000003516c883bda4c14560d6a0f19ea9903770daf4ad30cdc23e8304381a24006c2280000000daca45cc5f10830406c50e77d1dbd026dfa3039472b7cc8a51dade67451226213babe4af8ed949dbe58b07cfd3f0204302949f73e6f9e87b522bda66fe78dd7f364ed6fdfad25304632004e7c5c13e93696fcf83924021eada2eb01fb31cad9dbd1de526e11530ee1a3800e8f5974a534805ef3951d375fd68cd303b5e4fd1eb4000000051db9bd2c2c7fa3ce79192bcd221758a8551524164033e005f5b63a529eff5662c38ee9155897c1d86cd2aa8ee23a2db7df4edba0ae47536b4cc0774504f7f73	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}	svchost.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e000000000200000000001066000000010000200000003ed1b665cea5e68ec2f3435436bb77f16ddaf8688ab391da681570814b654332000000000e8000000002000020000000585cc05b3b73e39f14c50f4fd759ca494c2e01c4d9bb175f651b9c10ebd36974100d000075abe37e04cea8b3e4695e559ca46966dbcdb6dc8ee2a09b5d3c4e8e4ad5edabe29e8e35488b15d72b17a87b3ef83c8f007a533da5b3ffd0f1b9393a7f00d56dabe851188d38ebc1a947befbef57e73306046228fde46a8ed3478daa5d94e14d1e09f5bdcddbef1aaaef0bfd5ba3ddcbb9d78dc782613ae2424f93bf1e5ac6d893a5819797e3fff6d13810ab172f191f09e5197897feb729ce1736dc6c5f18e856821f88d4c0612cb090c4773d171032d749525321f43fb45b5e9f9f5d2ede970a4788247338e2c2ae55878bf648b6f592be687635e7c1c8126bd7782a443268e10f07e8a48529462b6204e0d39973d3dfcdce7453dc52badc4e0ec9265ca68d5e9cb936d7a3183332eda1b92e24555adbcec6976a9927f60a71e9196fdc23f77839fda8a4b8807627131e8873038b0c0b73a56dbfc163caa050aaf64d086bca9c179d52790747a8b779ae4fee380af41bca226e47fd9383869549a994107f25e02cd886012b06b30c31648e1f5ea6a56bc6d71d8cea5d7ea7802e2e03c9f574d53ffe281dc58eea3279164469c3ecb6ac2e2d28e34f631bba560430dad290b34a9f2d8b79c601a7b622bcf330f1120858dbe81cbfc5a24da672450bc7ddcca98f693f5f1c3e56ab325caaa68cf83276cbbd7663e4f4bf48e58688bbb76b2c39046bbf625fa3fc9b36400e475bf116f2b432c4e7f72b6f2e22e10be2b14525edd2a9f46cd04013e4d40475be718ad546ecf50acfd9132c56addd1ac2174db8f292dbbf40488702426f50ef4fddad23f6c629049b76d417f1d9061b68d6955fc7a4715b4faf90c08dfd083b5c3e3fef01d6f1873a5ec68ab7f5cdee228233b89be846a4c9f0c6c5b0a67032a749dcc3ba025d7402c391b3ccc8812d67e120adbc1799004002cb1c211fb6caf953ffa9873f00f1a78fba9f8dc54052484d8bb77549e2133f586bb2005537ec88ef116fd8cb7558cfc97eb7734f650aa18b7f304129af47b98efebf37ee20114cccadfaa5983d230af69e87abe2cf5a2c12015aadfa2b9c7696cbbc218a7fd8e5fc6101ec764c3dbd9fc3c521585956737a7d0884be9b28724b1e5f9fada7b699f9039a351e1a185e6216ea4b43e05955df956d78d387c17f9043156471e6d05ff3e2fc961e5856d879ba3f7ea03202db8749d651695b25bc737fe05d88b7eeed314d01791c30867e7242484237c4e74be1fba94a5b9c435166b59870ee9347059c3f777f3f52b6a6a793728c1ccece8534769efdda9e3b1a080f9bb67facf24ae9d503398f57ba1885dee1b91661905aed002af93e95c0fc8dbb66ae7534007831ed3104a06a683cc1060a9186a675f1dbc17481dad212ef09da26cf2dcf26210261a48e336a236860c5e7408c2d71a096adb8946e3f4caca518a8752169e86c3b9f4c6628550a378852b527e55d3a5c993a00ae94eb4d7dd860847e9109f802ff5a3f0e531fc9c55bfea7f6bbe005056e290fc8d3efc80020ddee86a7ad2d0e017f7c237b75c180241b73e5c111dbffe68bf7482af9dee14091a4fea011dd260b7d2552c73b825d12658e49e15a55ca375164abde6bf884dfaa156ed009e3379ff4cfab0d922c94d339d35f49d1e7be8b15f6152d6f07ba8c71917c0f4b00debf755f24c69fbb8946f30101b4f89a6acb460143bf82ceb474725b30d28c1cfb57a905d4f66fbd09dc3376e6f817b47018f387431645e01bebf9917b2893caa07965caf75d19af271273666be400c5084c3430133853be66130679e862eab4edfbd5aa8a84fac05f0676566ca7f834c91bcbf66145ff14293bb370e5978b2b44d27f322ef790f8c4bf2ad1576564b2e0591928a9e7b19ad10da7cb4b1959a255fd70ba583b9049946847ed0f7403772579f2794a9664253bcd33871c1e9e97e956ecba23b36a1a3b732343166f6c1480e269867bb2b676187050014261544ebedf9d8b19647bebb70b4799f5098607a4bc738a9a524f2a3460d68494c2e4e7e7d51a83665e26ceec510ff6fa6048540bdd17101e1f20864b74f81d0b7065537bfe516fcbacf42ec1787d88e52f0183b2146c499fadfa5e1db1759e285457a2e7850c83f8054384a0f97218efecbcee84f4d090f016655124fcd34e76902668c0a31da437f541b87a0a4fd3a40409db5f6fb26493c69e404570d97a5171d882e11069b006ab77b18ead3b6167223b1052bfa8abd0c51290959e525d9b4a28ae0a25024eb0ac9804011d4535fab04a73ab4a119f5cddd5b97b08114c568d15a39c80b2c6160ef4ad7a56a461f931d5e876b3f93458547a7e7137f1af4f6bd43a8653ec6c2259d4c215d75bc24985929c49653a79c59d0b62ad6398981729f8f3c158cbca3ebf5d219b8eae7d433ce41e9a0725b65b7c8044a5f48473e11d42d5ecf7e81213a9b5b168a82e47c0ac45622e028138a5b9c5761185ccee8b4285f95776165c4627131a30212f5b96724bebedd8722ea1b2ae37c4761bf6e2d1285f7ac7877e8c6bb108fd509938bccb44b664d679f4d3888bb3553eb991e7393cb70adebc562c7e498283b316b735afc34901ccfc1761f710d135af2771fe6edbc2c3a22dba7ade518195d849116642f644e13b2e6bdeda8bc8aa7e2e43a898ce05e3c01355c4c9a77b9dab933d7ff1bfb34477a7fe374b3e119c9073250a131b1ea479ab8dd94d40cb266ec656dfb116c22c90a08f2fd218ad10fdd3a78e27f36d12aa8788814297f40095b957b8b14e5c8c1612e297084a4c4ad32c960281f6ce4e8871ddda70bdcb2520d754628f31d63f62ff9959065ee7518e59791c65a72b43f043d08f09a357089b80022c2cbff9a359e994947791c778ef121dbec770dfd0f9dbb334beb74dfaaadee0cd4e47099fbc29a3b69f74118f86a489c43482f4d19fd91b086c66d3d7715c9a5e046940b5d588d891cfcb3bca39177694c281c02c95d3710a0a1478dab98aaecd64d1444b041cfc2a93d8b35c7baff0df47c4a0c6c065cee96ca7525968e8d6727f098a4d274285ef34b42e0192a861fda11c4d419b6863783c046913488732874f151e6485481a4f2d0e543b0e920a76961839033c47b901587e3ac1f11af060c62863f32afead8d217536da042e07ba36b998e8ce24bfb5f2763af0a357c0142725f48c76fd250f1811180a1789d7708b4d2dc4a549789eb417336da6a0693f57400a5331cd69c560e374b407e6adf61f664f5f5bdeb80b406147f60dad7b7d76e075da8b935b357ccee374a73db924e4f552bb9c27a730aeb848e99d04ca333f85180bb80b03a9ea0ad6accbf98ddd0f188dda5eef54070d4e2e936b69b98e4f5e2ac47f892b01af462e9f071dca1246c074fccd87677cda7026f82c50fa05782b17643b08b2d1d4bd40f4fcf313a64aa6facd5036952c211545155a7106251493ceab46697f4d5bc8d4957d609c6bf4cea4730cf7dcfddff1df40a62cbbbd9fe1acd257b90a892cce4e379bd0e7604dd56f4d6039a96be3a165101da2d2469eea5fd5670da981d5d067ccdac8aecddc9edc24c88c03d3b516d6d9dfbee965f6c2c6a4e70aaadfcd8d75f48669dde83e083bd30e5abe36a79426e09d94d13dcabe9051cdec635790f6b3611384fca096d72a6cbc5d8c1872c3feb4e119a1b2883203fa49a4d56cfea3ab93b08c5fa3f6595ca0ccda5a22f7fed07aeada7df9fbb722a6e03bd8b3f2c56b46cf1b499f711e728185cf3a79fbb76471e2d53baab2d3e0d86d0b128efa6afbe630c62188774f525e05227ac2f3fff56cc1b4825b599de1c94cd7afc4c42b1a8a999e4b3f59f3d0fec7e839e09491c826fcb8434741189bc70eec257982a0a9841a5b56d2fb0ca5ff24712d855cff24a7cde34c5276788bfb9e3314c46e39b1dff0578bb333f699536eb8e22b4465b04c186035ce6c4fc6f6eafd2ec2ca4a79dfb54931f625bc6912475af598e9d013136044f4ab8986f9a529263790ecdd764440b4e12708638435f50f944803f8a5ed9256fd954ff4efad22c064123b3d885b24384c57e72ef234e43340a2e4a5cc693e6946fdbf62f9fe7152355da4e7f067eb1815b19bb694cb47ca300f4208daf43def523ee5649e0ebc7c07880f067f5c799ba3d3f3c20e80930740ec85bda16390e1c3cc29961acd7604dfb49c540f60033879193a11ca5f30d7c14d91dbc45dea8fbedeadb8cd1e981e8d5ea0d8c2d30cea772f69e78063467d7fea1a387eab1fabed507257090eddd69f70b68054139d7961280ad3b6b153ad3d3734611e5968a59461b8575616f87897affcfeb161295a732376eec590339f8c9e12840add15091aac0d8b06e005a526a3dae558b249a782492ff148b8de4358b2f282865c748be1782c9d78c0c3e24cdb50d852e24dc29dc7abc879a5eb5b9687de634ceb6fcb954721f0c58ecb7c79ddc661fab217b220b228a1c5141b219dab975131d7c1219052a4b8a3100beb83613c3f4885732c0041920e7d19da68caeeef98402e73d9b73933e0def8524c5af40296a2b215143973c1873b6b04be827178ed94eef772166432ac6faf227c993030c099ae4ad375e763d105d56bbf97119721636974624ff6ec622a576d6acc651c1ca40e90777f1c3060980a0ec694266a8a2d30a1b13992dfde932d45003362a9bb41145c32600384bf3f9db3d07c2113acb94c3945d935d2da1914d83ee87ab3840b729dcc02120e52cfc4fcba246540000000e16d793711a763f1142325beef4cd2dbacdbdf145720cd7516949cfba3bc0e099d5bfee0961674f43642bfffd602360124eddfd451f28a334b232c5782fd868a	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "001840064ECE0D0C"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property	svchost.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

XFT-21062-22.exepowershell.exepowershell.exepowershell.exeXFT-21062-22.exe

pid	process
2352	XFT-21062-22.exe
2352	XFT-21062-22.exe
2352	XFT-21062-22.exe
2352	XFT-21062-22.exe
1324	powershell.exe
1032	powershell.exe
1744	powershell.exe
2352	XFT-21062-22.exe
2352	XFT-21062-22.exe
2352	XFT-21062-22.exe
2352	XFT-21062-22.exe
2352	XFT-21062-22.exe
2352	XFT-21062-22.exe
1324	powershell.exe
1032	powershell.exe
1744	powershell.exe
2352	XFT-21062-22.exe
2352	XFT-21062-22.exe
2600	XFT-21062-22.exe
2600	XFT-21062-22.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

XFT-21062-22.exepowershell.exepowershell.exepowershell.exeXFT-21062-22.exe

description	pid	process
Token: SeDebugPrivilege	2352	XFT-21062-22.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	2600	XFT-21062-22.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

XFT-21062-22.exe

description	pid	process	target process
PID 2352 wrote to memory of 1032	2352	XFT-21062-22.exe	powershell.exe
PID 2352 wrote to memory of 1032	2352	XFT-21062-22.exe	powershell.exe
PID 2352 wrote to memory of 1032	2352	XFT-21062-22.exe	powershell.exe
PID 2352 wrote to memory of 1324	2352	XFT-21062-22.exe	powershell.exe
PID 2352 wrote to memory of 1324	2352	XFT-21062-22.exe	powershell.exe
PID 2352 wrote to memory of 1324	2352	XFT-21062-22.exe	powershell.exe
PID 2352 wrote to memory of 1744	2352	XFT-21062-22.exe	powershell.exe
PID 2352 wrote to memory of 1744	2352	XFT-21062-22.exe	powershell.exe
PID 2352 wrote to memory of 1744	2352	XFT-21062-22.exe	powershell.exe
PID 2352 wrote to memory of 2572	2352	XFT-21062-22.exe	XFT-21062-22.exe
PID 2352 wrote to memory of 2572	2352	XFT-21062-22.exe	XFT-21062-22.exe
PID 2352 wrote to memory of 2572	2352	XFT-21062-22.exe	XFT-21062-22.exe
PID 2352 wrote to memory of 2600	2352	XFT-21062-22.exe	XFT-21062-22.exe
PID 2352 wrote to memory of 2600	2352	XFT-21062-22.exe	XFT-21062-22.exe
PID 2352 wrote to memory of 2600	2352	XFT-21062-22.exe	XFT-21062-22.exe
PID 2352 wrote to memory of 2600	2352	XFT-21062-22.exe	XFT-21062-22.exe
PID 2352 wrote to memory of 2600	2352	XFT-21062-22.exe	XFT-21062-22.exe
PID 2352 wrote to memory of 2600	2352	XFT-21062-22.exe	XFT-21062-22.exe
PID 2352 wrote to memory of 2600	2352	XFT-21062-22.exe	XFT-21062-22.exe
PID 2352 wrote to memory of 2600	2352	XFT-21062-22.exe	XFT-21062-22.exe

C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
"C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"
1⤵
- Checks computer location settings
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Cursors\6zqC2hZrEtnwuWCRJ\svchost.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
"C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"
2⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe
"C:\Users\Admin\AppData\Local\Temp\XFT-21062-22.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:3508

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
- Modifies data under HKEY_USERS
PID:4360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

2

T1089

Modify Registry

3

T1112

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

4

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\XFT-21062-22.exe.log
MD5
17573558c4e714f606f997e5157afaac

SHA1
13e16e9415ceef429aaf124139671ebeca09ed23

SHA256
c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

SHA512
f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
264bdf4039fa632a1e97f56385be1b47

SHA1
4e763082f0ffcf7a2eae53bfae4012176f9ee5cc

SHA256
6205756956ebc3e5681e18a959537a2ec9d19791175668ea101b48890f8a56bc

SHA512
a1952ce76bf3f369e6b11368483d26ff1ffdbed0a6651d17dd635f21a5e6f30466e627cc955981b7b3a82effd07881a0a31b9d11f6ddefce356e0dffe56a4230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
b1c159445b218fcc3039c60b3f2af57f

SHA1
9afb5509e24438ca02311cf2e8384d18196c336f

SHA256
bf2158a0892a74c2efa0b821b17e1cc33b77eaaa1a882c50ca408c5156d9b58e

SHA512
a68e2f91c0d25880592c8a23ebe7d11e5601551aaa93c938a120115572ec2c52a491cfd7f3b5408ad7635ee538779fcb974d770ddac191610134f6973fc586ce

Download Submit
memory/1032-174-0x000000007F350000-0x000000007F351000-memory.dmp

Filesize
4KB

Download
memory/1032-183-0x00000000074A0000-0x00000000074A8000-memory.dmp

Filesize
32KB

Download
memory/1032-182-0x00000000074C0000-0x00000000074DA000-memory.dmp

Filesize
104KB

Download
memory/1032-178-0x0000000007180000-0x000000000719A000-memory.dmp

Filesize
104KB

Download
memory/1032-154-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/1032-143-0x00000000024E0000-0x0000000002516000-memory.dmp

Filesize
216KB

Download
memory/1032-144-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1032-145-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/1032-146-0x00000000025E2000-0x00000000025E3000-memory.dmp

Filesize
4KB

Download
memory/1032-169-0x0000000007070000-0x00000000070A2000-memory.dmp

Filesize
200KB

Download
memory/1032-173-0x000000006F2B0000-0x000000006F2FC000-memory.dmp

Filesize
304KB

Download
memory/1032-168-0x00000000025E5000-0x00000000025E7000-memory.dmp

Filesize
8KB

Download
memory/1032-155-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/1324-177-0x00000000081C0000-0x000000000883A000-memory.dmp

Filesize
6.5MB

Download
memory/1324-179-0x0000000007BE0000-0x0000000007BEA000-memory.dmp

Filesize
40KB

Download
memory/1324-151-0x0000000005352000-0x0000000005353000-memory.dmp

Filesize
4KB

Download
memory/1324-167-0x0000000005355000-0x0000000005357000-memory.dmp

Filesize
8KB

Download
memory/1324-156-0x00000000061A0000-0x0000000006206000-memory.dmp

Filesize
408KB

Download
memory/1324-150-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/1324-148-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1324-181-0x0000000007DA0000-0x0000000007DAE000-memory.dmp

Filesize
56KB

Download
memory/1324-171-0x000000006F2B0000-0x000000006F2FC000-memory.dmp

Filesize
304KB

Download
memory/1324-147-0x0000000005990000-0x0000000005FB8000-memory.dmp

Filesize
6.2MB

Download
memory/1324-161-0x0000000006870000-0x000000000688E000-memory.dmp

Filesize
120KB

Download
memory/1324-176-0x000000007F3B0000-0x000000007F3B1000-memory.dmp

Filesize
4KB

Download
memory/1744-175-0x000000007FC80000-0x000000007FC81000-memory.dmp

Filesize
4KB

Download
memory/1744-180-0x0000000007180000-0x0000000007216000-memory.dmp

Filesize
600KB

Download
memory/1744-153-0x0000000004822000-0x0000000004823000-memory.dmp

Filesize
4KB

Download
memory/1744-152-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1744-166-0x0000000004825000-0x0000000004827000-memory.dmp

Filesize
8KB

Download
memory/1744-149-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/1744-170-0x000000006F2B0000-0x000000006F2FC000-memory.dmp

Filesize
304KB

Download
memory/1744-172-0x0000000006B70000-0x0000000006B8E000-memory.dmp

Filesize
120KB

Download
memory/2352-140-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/2352-137-0x0000000005350000-0x00000000058F4000-memory.dmp

Filesize
5.6MB

Download
memory/2352-135-0x00000000002A0000-0x0000000000376000-memory.dmp

Filesize
856KB

Download
memory/2352-142-0x0000000004DA0000-0x0000000005344000-memory.dmp

Filesize
5.6MB

Download
memory/2352-136-0x0000000004D00000-0x0000000004D9C000-memory.dmp

Filesize
624KB

Download
memory/2352-165-0x0000000070800000-0x0000000070812000-memory.dmp

Filesize
72KB

Download
memory/2352-134-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/2352-141-0x0000000004FE0000-0x0000000005036000-memory.dmp

Filesize
344KB

Download
memory/2352-138-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/2352-139-0x0000000004DA0000-0x0000000005344000-memory.dmp

Filesize
5.6MB

Download
memory/2600-158-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/2600-157-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2600-159-0x0000000005380000-0x0000000005998000-memory.dmp

Filesize
6.1MB

Download
memory/2600-184-0x0000000006350000-0x0000000006512000-memory.dmp

Filesize
1.8MB

Download
memory/2600-185-0x0000000006A50000-0x0000000006F7C000-memory.dmp

Filesize
5.2MB

Download
memory/2600-160-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/2600-162-0x0000000004DC0000-0x0000000004DFC000-memory.dmp

Filesize
240KB

Download
memory/2600-163-0x0000000004D50000-0x0000000004D51000-memory.dmp

Filesize
4KB

Download
memory/2600-189-0x0000000006850000-0x00000000068C6000-memory.dmp

Filesize
472KB

Download
memory/2600-190-0x0000000006A30000-0x0000000006A4E000-memory.dmp

Filesize
120KB

Download
memory/2600-164-0x0000000005070000-0x000000000517A000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads