redline | 160625fc9d9070b64847cad9582f16da0ddc6ed074ae3d07ec33e9ea4e28e1c2

Analysis

max time kernel
169s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2022 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e2802760f0b07c1290456694ebf5423.exe
Size

173KB
MD5

1e2802760f0b07c1290456694ebf5423
SHA1

9a3a72436ac7d49aeedad5b4eae74173cd8dcb41
SHA256

160625fc9d9070b64847cad9582f16da0ddc6ed074ae3d07ec33e9ea4e28e1c2
SHA512

197882aa57c2dba7a827f3d0b04428c9d31c09a184b51a0f4dac9a6d47e6127a02fec195d2ac96d72bd8726917e360c985ea698c55e5b45b065f6b8dd0e19b0f
SSDEEP

3072:7TQnFeJSrE+G7HRT+rnnDdSzOXueSX5xU5vcOdJRY8pvNBGxEYTlzCS/u:75MrER4nnhyOXs5xETdJRY8ZNBGnXu

Score

10^/10

redline @moriwws infostealer persistence spyware stealer upx

Malware Config

Extracted

Family

redline

62.204.41.141:24758

Attributes

auth_value
bde556419603fef0058cbd9e9dcab2a2

Extracted

Family

redline

Botnet

@moriwWs

tininshassama.xyz:81

Attributes

auth_value
c2f987b4e6cd55ad1315311e92563eca

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

resource	yara_rule
behavioral2/memory/3788-143-0x0000000000B90000-0x0000000000BB8000-memory.dmp	family_redline
behavioral2/memory/1960-144-0x0000000000B20000-0x0000000000B48000-memory.dmp	family_redline

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
2588	S.EXE
3800	V.EXE
4388	chrome.exe
4524	MainModule.exe
5076	start.exe
1980	reojnlrtehrwep.c.exe
1344	svcupdater.exe
1744	dllhost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3680-133-0x0000000000600000-0x0000000000682000-memory.dmp	upx
behavioral2/memory/3680-138-0x0000000000600000-0x0000000000682000-memory.dmp	upx
behavioral2/files/0x0008000000022dfd-173.dat	upx
behavioral2/files/0x0008000000022dfd-174.dat	upx
behavioral2/memory/5076-175-0x0000000000B50000-0x000000000198B000-memory.dmp	upx
behavioral2/memory/5076-195-0x0000000000B50000-0x000000000198B000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	1e2802760f0b07c1290456694ebf5423.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1980	reojnlrtehrwep.c.exe
1980	reojnlrtehrwep.c.exe
1344	svcupdater.exe
1344	svcupdater.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 1960	2588	S.EXE	89
PID 3800 set thread context of 3788	3800	V.EXE	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2644	schtasks.exe
2440	schtasks.exe
2272	schtasks.exe
4696	schtasks.exe
4544	schtasks.exe
4064	schtasks.exe
4448	schtasks.exe
2344	schtasks.exe
992	schtasks.exe
4444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
3788	vbc.exe
3788	vbc.exe
4524	MainModule.exe
3612	powershell.exe
1980	reojnlrtehrwep.c.exe
1980	reojnlrtehrwep.c.exe
3612	powershell.exe
1344	svcupdater.exe
1344	svcupdater.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
4072	powershell.exe
4072	powershell.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe
1744	dllhost.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	vbc.exe
Token: SeDebugPrivilege	4524	MainModule.exe
Token: SeDebugPrivilege	3612	powershell.exe
Token: SeDebugPrivilege	1744	dllhost.exe
Token: SeDebugPrivilege	4072	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 2588	3680	1e2802760f0b07c1290456694ebf5423.exe	85
PID 3680 wrote to memory of 2588	3680	1e2802760f0b07c1290456694ebf5423.exe	85
PID 3680 wrote to memory of 2588	3680	1e2802760f0b07c1290456694ebf5423.exe	85
PID 3680 wrote to memory of 3800	3680	1e2802760f0b07c1290456694ebf5423.exe	87
PID 3680 wrote to memory of 3800	3680	1e2802760f0b07c1290456694ebf5423.exe	87
PID 3680 wrote to memory of 3800	3680	1e2802760f0b07c1290456694ebf5423.exe	87
PID 3800 wrote to memory of 3788	3800	V.EXE	90
PID 3800 wrote to memory of 3788	3800	V.EXE	90
PID 3800 wrote to memory of 3788	3800	V.EXE	90
PID 2588 wrote to memory of 1960	2588	S.EXE	89
PID 2588 wrote to memory of 1960	2588	S.EXE	89
PID 2588 wrote to memory of 1960	2588	S.EXE	89
PID 3800 wrote to memory of 3788	3800	V.EXE	90
PID 2588 wrote to memory of 1960	2588	S.EXE	89
PID 2588 wrote to memory of 1960	2588	S.EXE	89
PID 3800 wrote to memory of 3788	3800	V.EXE	90
PID 3788 wrote to memory of 4388	3788	vbc.exe	100
PID 3788 wrote to memory of 4388	3788	vbc.exe	100
PID 3788 wrote to memory of 4388	3788	vbc.exe	100
PID 3788 wrote to memory of 4524	3788	vbc.exe	102
PID 3788 wrote to memory of 4524	3788	vbc.exe	102
PID 3788 wrote to memory of 4524	3788	vbc.exe	102
PID 3788 wrote to memory of 5076	3788	vbc.exe	105
PID 3788 wrote to memory of 5076	3788	vbc.exe	105
PID 4524 wrote to memory of 320	4524	MainModule.exe	106
PID 4524 wrote to memory of 320	4524	MainModule.exe	106
PID 4524 wrote to memory of 320	4524	MainModule.exe	106
PID 320 wrote to memory of 432	320	cmd.exe	108
PID 320 wrote to memory of 432	320	cmd.exe	108
PID 320 wrote to memory of 432	320	cmd.exe	108
PID 3788 wrote to memory of 1980	3788	vbc.exe	109
PID 3788 wrote to memory of 1980	3788	vbc.exe	109
PID 320 wrote to memory of 3612	320	cmd.exe	110
PID 320 wrote to memory of 3612	320	cmd.exe	110
PID 320 wrote to memory of 3612	320	cmd.exe	110
PID 1980 wrote to memory of 4844	1980	reojnlrtehrwep.c.exe	111
PID 1980 wrote to memory of 4844	1980	reojnlrtehrwep.c.exe	111
PID 4844 wrote to memory of 2644	4844	cmd.exe	113
PID 4844 wrote to memory of 2644	4844	cmd.exe	113
PID 4524 wrote to memory of 1744	4524	MainModule.exe	115
PID 4524 wrote to memory of 1744	4524	MainModule.exe	115
PID 4524 wrote to memory of 1744	4524	MainModule.exe	115
PID 1744 wrote to memory of 792	1744	dllhost.exe	116
PID 1744 wrote to memory of 792	1744	dllhost.exe	116
PID 1744 wrote to memory of 792	1744	dllhost.exe	116
PID 1744 wrote to memory of 2584	1744	dllhost.exe	118
PID 1744 wrote to memory of 2584	1744	dllhost.exe	118
PID 1744 wrote to memory of 2584	1744	dllhost.exe	118
PID 1744 wrote to memory of 1272	1744	dllhost.exe	119
PID 1744 wrote to memory of 1272	1744	dllhost.exe	119
PID 1744 wrote to memory of 1272	1744	dllhost.exe	119
PID 1744 wrote to memory of 816	1744	dllhost.exe	120
PID 1744 wrote to memory of 816	1744	dllhost.exe	120
PID 1744 wrote to memory of 816	1744	dllhost.exe	120
PID 1744 wrote to memory of 2296	1744	dllhost.exe	121
PID 1744 wrote to memory of 2296	1744	dllhost.exe	121
PID 1744 wrote to memory of 2296	1744	dllhost.exe	121
PID 1744 wrote to memory of 3640	1744	dllhost.exe	123
PID 1744 wrote to memory of 3640	1744	dllhost.exe	123
PID 1744 wrote to memory of 3640	1744	dllhost.exe	123
PID 1744 wrote to memory of 3000	1744	dllhost.exe	125
PID 1744 wrote to memory of 3000	1744	dllhost.exe	125
PID 1744 wrote to memory of 3000	1744	dllhost.exe	125
PID 1744 wrote to memory of 4824	1744	dllhost.exe	130

C:\Users\Admin\AppData\Local\Temp\1e2802760f0b07c1290456694ebf5423.exe
"C:\Users\Admin\AppData\Local\Temp\1e2802760f0b07c1290456694ebf5423.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\S.EXE
  "C:\Users\Admin\AppData\Local\Temp\S.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:1960
- C:\Users\Admin\AppData\Local\Temp\V.EXE
  "C:\Users\Admin\AppData\Local\Temp\V.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Users\Admin\AppData\Local\Google\chrome.exe
      "C:\Users\Admin\AppData\Local\Google\chrome.exe"
      4⤵
      Executes dropped EXE
      PID:4388
  - - C:\Users\Admin\AppData\Local\Temp\MainModule.exe
      "C:\Users\Admin\AppData\Local\Temp\MainModule.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:432
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3612
    - - C:\ProgramData\Dllhost\dllhost.exe
        
        "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2440
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4448
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:1272
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:2296
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:3640
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:992
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:2344
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4696
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2636" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk2636" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4444
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4344" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk4344" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4544
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk875" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:3472
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk367" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk367" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4064
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        6⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        7⤵
        
        PID:1860
  - - C:\Users\Admin\AppData\Local\Temp\start.exe
      "C:\Users\Admin\AppData\Local\Temp\start.exe"
      4⤵
      Executes dropped EXE
      PID:5076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "" "Get-WmiObject Win32_PortConnector"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\reojnlrtehrwep.c.exe
      "C:\Users\Admin\AppData\Local\Temp\reojnlrtehrwep.c.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /C schtasks /create /tn GwzNESXBuI /tr C:\Users\Admin\AppData\Roaming\GwzNESXBuI\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4844
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /tn GwzNESXBuI /tr C:\Users\Admin\AppData\Roaming\GwzNESXBuI\svcupdater.exe /st 00:00 /du 9999:59 /sc once /ri 1 /f
        6⤵
        Creates scheduled task(s)
        
        PID:2644

C:\Users\Admin\AppData\Roaming\GwzNESXBuI\svcupdater.exe
C:\Users\Admin\AppData\Roaming\GwzNESXBuI\svcupdater.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
60KB

MD5
9a4febef8d60ba3a7039d023231c6dec

SHA1
2b94634c21c98db8a77d3ceef4a57ea8009afd50

SHA256
efc5f8d9cf611f8f8857840f49a111bac24b16966fc69a17f3757cbcf7f3bbe0

SHA512
bfe7dca34d63289b56288dc6171b58951c3ef27c90e316ca5ce6da812a6a887b30c9967fff59067b23d68fe02d6ff746037c9b2563077f092f2a2abade3cea62

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
60KB

MD5
9a4febef8d60ba3a7039d023231c6dec

SHA1
2b94634c21c98db8a77d3ceef4a57ea8009afd50

SHA256
efc5f8d9cf611f8f8857840f49a111bac24b16966fc69a17f3757cbcf7f3bbe0

SHA512
bfe7dca34d63289b56288dc6171b58951c3ef27c90e316ca5ce6da812a6a887b30c9967fff59067b23d68fe02d6ff746037c9b2563077f092f2a2abade3cea62

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
c950c3cb590546fe0f33d3864f9ead4c

SHA1
070691fb29ae8df0dd653dbbaafa07cf69e7646e

SHA256
6acf4c4c5aab6234d8f9cbccb44574948d5719d5715cb8898769c0050b006e61

SHA512
7a3bb9de713823c2d81db856af5a1e74dec0ebcbc88dba0404ca325b1ef247689e3df47133879cb9c3d650b3dae51032d62af662ccb4adec2166e903bbbc6d7c

Download Submit
C:\Users\Admin\AppData\Local\Google\chrome.exe

Filesize
6.1MB

MD5
2eb1f0cd73ab52f0434a1e8575553014

SHA1
8354dd14ddb0252a7ec0228f711fd8a326809f55

SHA256
31e2c3cbcaae0c132f191eb1cfa0079020a89843ef63c181bd3d4b1dddc09189

SHA512
02e041745c261b53401fc2f0132db6215a0e898a9298419f0e612efd2a6d180fe8e49201d16680ca60eaada432ca1b70d441c84af87c41f95062212799f8cf93

Download Submit
C:\Users\Admin\AppData\Local\Google\chrome.exe

Filesize
6.1MB

MD5
2eb1f0cd73ab52f0434a1e8575553014

SHA1
8354dd14ddb0252a7ec0228f711fd8a326809f55

SHA256
31e2c3cbcaae0c132f191eb1cfa0079020a89843ef63c181bd3d4b1dddc09189

SHA512
02e041745c261b53401fc2f0132db6215a0e898a9298419f0e612efd2a6d180fe8e49201d16680ca60eaada432ca1b70d441c84af87c41f95062212799f8cf93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
3da42ac422fca8746fa02070d5109b12

SHA1
d5d91f17e746561b389dbb8159212d638eec53bd

SHA256
aae94f75592ddfd404829b1e504b7ff81f53f7ac268596dd24d63a0c648b0eff

SHA512
64fd76200db9b9004ca1ff51c41bbe9ca46c65132460c236bfa305f6b4f9b7d9735b7212c8fee676811028651668e7e57fc85347a273fee1a45cc653d6a89ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
56KB

MD5
ddd629995106be2266b038e7faf5fd01

SHA1
1b3c3eeb8a07e7ac68697bd6ef97525ce16e983b

SHA256
1172d350467f5910e99f1a80ffef7433e31da14050a6b6f27142f5efc910bb5c

SHA512
8ab3e3c4d26836088b6a671977229d6a04dbcccf8d3e13b67ead1d94727598c7a4484fd66ad5d3fdbd70af22c1845eee712b42aa94675fc68a5b7fafbee27f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
56KB

MD5
ddd629995106be2266b038e7faf5fd01

SHA1
1b3c3eeb8a07e7ac68697bd6ef97525ce16e983b

SHA256
1172d350467f5910e99f1a80ffef7433e31da14050a6b6f27142f5efc910bb5c

SHA512
8ab3e3c4d26836088b6a671977229d6a04dbcccf8d3e13b67ead1d94727598c7a4484fd66ad5d3fdbd70af22c1845eee712b42aa94675fc68a5b7fafbee27f78

Download Submit
C:\Users\Admin\AppData\Local\Temp\S.EXE

Filesize
221KB

MD5
dadc63f1091f6e22549b8c881c34cd3c

SHA1
38375ae55ca88435a15d0ebbed2e3cfa911591de

SHA256
872904de3861315d1327308235f0db1dcd8dc23de27d8127d57baadd13138d27

SHA512
2db2f1681e3c1fa96b6581d283c49f48b799bf36567998d9fc656285847afef4205f7a48d5c780f34f3cea41477dc3ef914f11c6c2a83354f23ab6e8c07b47f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\S.EXE

Filesize
221KB

MD5
dadc63f1091f6e22549b8c881c34cd3c

SHA1
38375ae55ca88435a15d0ebbed2e3cfa911591de

SHA256
872904de3861315d1327308235f0db1dcd8dc23de27d8127d57baadd13138d27

SHA512
2db2f1681e3c1fa96b6581d283c49f48b799bf36567998d9fc656285847afef4205f7a48d5c780f34f3cea41477dc3ef914f11c6c2a83354f23ab6e8c07b47f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\V.EXE

Filesize
218KB

MD5
c57dcb7c0b134e5f17ebc434b7f16666

SHA1
8f984edb1286cd103763cc6e8e49c5e651ba6de8

SHA256
cb5a46276469443e851d43d7aa79355ca7127253521c83b34c8fb8889fb09c05

SHA512
ddc6a626bcf58a076eefd25a28baa5dc6f04d04ed0c7c599df7a116832cc1e42c98a3254f8e47fc61f5454c4e4c0f1293fd4a7cb186e309f457fb02f4b12c758

Download Submit
C:\Users\Admin\AppData\Local\Temp\V.EXE

Filesize
218KB

MD5
c57dcb7c0b134e5f17ebc434b7f16666

SHA1
8f984edb1286cd103763cc6e8e49c5e651ba6de8

SHA256
cb5a46276469443e851d43d7aa79355ca7127253521c83b34c8fb8889fb09c05

SHA512
ddc6a626bcf58a076eefd25a28baa5dc6f04d04ed0c7c599df7a116832cc1e42c98a3254f8e47fc61f5454c4e4c0f1293fd4a7cb186e309f457fb02f4b12c758

Download Submit
C:\Users\Admin\AppData\Local\Temp\reojnlrtehrwep.c.exe

Filesize
8.3MB

MD5
07abee9799eecb7e637d68f9fafbdf77

SHA1
363a1eca2f2573ceb80a95ec9af12d936b9794f7

SHA256
b0a9b65569241c677758d824f35c22e4475345b5710aa1a95d22b9fa923f152c

SHA512
48857f4c9b1fcc3559109fe2cf47e19499db1a8d2b298f3e8300dafadb64950bb75c5282871ab7f20c80294ae5a0af10020f1d80cfceb98a544ccbfa6b757802

Download Submit
C:\Users\Admin\AppData\Local\Temp\reojnlrtehrwep.c.exe

Filesize
8.3MB

MD5
07abee9799eecb7e637d68f9fafbdf77

SHA1
363a1eca2f2573ceb80a95ec9af12d936b9794f7

SHA256
b0a9b65569241c677758d824f35c22e4475345b5710aa1a95d22b9fa923f152c

SHA512
48857f4c9b1fcc3559109fe2cf47e19499db1a8d2b298f3e8300dafadb64950bb75c5282871ab7f20c80294ae5a0af10020f1d80cfceb98a544ccbfa6b757802

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.1MB

MD5
aa8422c63726f005668ff1d44a9f235f

SHA1
136996429a4f43f93c5aea41a6e0629a2ae8ea55

SHA256
403bae26214c9f3be2498203af2a0b4f47c5a739b06f87a93063e5bb46d25aa6

SHA512
7b09a63feb3c7688c69c84356a82e3a8396f0abffab8b6acbc8526f21fddad2bea6b3b4303ff5626e8e265d3bc29925183f23d8049136235cfc9f0fdeec67478

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.1MB

MD5
aa8422c63726f005668ff1d44a9f235f

SHA1
136996429a4f43f93c5aea41a6e0629a2ae8ea55

SHA256
403bae26214c9f3be2498203af2a0b4f47c5a739b06f87a93063e5bb46d25aa6

SHA512
7b09a63feb3c7688c69c84356a82e3a8396f0abffab8b6acbc8526f21fddad2bea6b3b4303ff5626e8e265d3bc29925183f23d8049136235cfc9f0fdeec67478

Download Submit
C:\Users\Admin\AppData\Roaming\GwzNESXBuI\svcupdater.exe

Filesize
8.3MB

MD5
07abee9799eecb7e637d68f9fafbdf77

SHA1
363a1eca2f2573ceb80a95ec9af12d936b9794f7

SHA256
b0a9b65569241c677758d824f35c22e4475345b5710aa1a95d22b9fa923f152c

SHA512
48857f4c9b1fcc3559109fe2cf47e19499db1a8d2b298f3e8300dafadb64950bb75c5282871ab7f20c80294ae5a0af10020f1d80cfceb98a544ccbfa6b757802

Download Submit
C:\Users\Admin\AppData\Roaming\GwzNESXBuI\svcupdater.exe

Filesize
8.3MB

MD5
07abee9799eecb7e637d68f9fafbdf77

SHA1
363a1eca2f2573ceb80a95ec9af12d936b9794f7

SHA256
b0a9b65569241c677758d824f35c22e4475345b5710aa1a95d22b9fa923f152c

SHA512
48857f4c9b1fcc3559109fe2cf47e19499db1a8d2b298f3e8300dafadb64950bb75c5282871ab7f20c80294ae5a0af10020f1d80cfceb98a544ccbfa6b757802

Download Submit
memory/320-176-0x0000000000000000-mapping.dmp

Download
memory/432-177-0x0000000000000000-mapping.dmp

Download
memory/792-207-0x0000000000000000-mapping.dmp

Download
memory/816-212-0x0000000000000000-mapping.dmp

Download
memory/992-227-0x0000000000000000-mapping.dmp

Download
memory/1000-219-0x0000000000000000-mapping.dmp

Download
memory/1272-210-0x0000000000000000-mapping.dmp

Download
memory/1344-198-0x0000000000580000-0x00000000016F5000-memory.dmp

Filesize
17.5MB

Download
memory/1344-199-0x0000000000580000-0x00000000016F5000-memory.dmp

Filesize
17.5MB

Download
memory/1344-245-0x0000000000580000-0x00000000016F5000-memory.dmp

Filesize
17.5MB

Download
memory/1744-203-0x0000000000000000-mapping.dmp

Download
memory/1744-206-0x0000000000060000-0x0000000000076000-memory.dmp

Filesize
88KB

Download
memory/1860-237-0x0000000000000000-mapping.dmp

Download
memory/1960-144-0x0000000000B20000-0x0000000000B48000-memory.dmp

Filesize
160KB

Download
memory/1960-155-0x0000000005110000-0x0000000005122000-memory.dmp

Filesize
72KB

Download
memory/1960-156-0x0000000005170000-0x00000000051AC000-memory.dmp

Filesize
240KB

Download
memory/1960-142-0x0000000000000000-mapping.dmp

Download
memory/1980-194-0x0000000000C00000-0x0000000001D75000-memory.dmp

Filesize
17.5MB

Download
memory/1980-185-0x0000000000C00000-0x0000000001D75000-memory.dmp

Filesize
17.5MB

Download
memory/1980-186-0x0000000000C00000-0x0000000001D75000-memory.dmp

Filesize
17.5MB

Download
memory/1980-178-0x0000000000000000-mapping.dmp

Download
memory/2272-225-0x0000000000000000-mapping.dmp

Download
memory/2296-213-0x0000000000000000-mapping.dmp

Download
memory/2344-228-0x0000000000000000-mapping.dmp

Download
memory/2368-218-0x0000000000000000-mapping.dmp

Download
memory/2440-224-0x0000000000000000-mapping.dmp

Download
memory/2584-208-0x0000000000000000-mapping.dmp

Download
memory/2588-134-0x0000000000000000-mapping.dmp

Download
memory/2644-192-0x0000000000000000-mapping.dmp

Download
memory/3000-216-0x0000000000000000-mapping.dmp

Download
memory/3472-220-0x0000000000000000-mapping.dmp

Download
memory/3612-226-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/3612-239-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/3612-238-0x0000000007460000-0x000000000746E000-memory.dmp

Filesize
56KB

Download
memory/3612-187-0x0000000005950000-0x00000000059B6000-memory.dmp

Filesize
408KB

Download
memory/3612-184-0x00000000057B0000-0x00000000057D2000-memory.dmp

Filesize
136KB

Download
memory/3612-183-0x0000000005180000-0x00000000057A8000-memory.dmp

Filesize
6.2MB

Download
memory/3612-182-0x0000000002910000-0x0000000002946000-memory.dmp

Filesize
216KB

Download
memory/3612-209-0x0000000006ED0000-0x0000000006F02000-memory.dmp

Filesize
200KB

Download
memory/3612-211-0x000000006DD00000-0x000000006DD4C000-memory.dmp

Filesize
304KB

Download
memory/3612-235-0x00000000074C0000-0x0000000007556000-memory.dmp

Filesize
600KB

Download
memory/3612-181-0x0000000000000000-mapping.dmp

Download
memory/3612-193-0x0000000004C80000-0x0000000004C9E000-memory.dmp

Filesize
120KB

Download
memory/3612-240-0x00000000074A0000-0x00000000074A8000-memory.dmp

Filesize
32KB

Download
memory/3612-222-0x0000000007890000-0x0000000007F0A000-memory.dmp

Filesize
6.5MB

Download
memory/3612-223-0x0000000007230000-0x000000000724A000-memory.dmp

Filesize
104KB

Download
memory/3612-214-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/3640-215-0x0000000000000000-mapping.dmp

Download
memory/3680-133-0x0000000000600000-0x0000000000682000-memory.dmp

Filesize
520KB

Download
memory/3680-138-0x0000000000600000-0x0000000000682000-memory.dmp

Filesize
520KB

Download
memory/3700-236-0x0000000000000000-mapping.dmp

Download
memory/3788-157-0x00000000082F0000-0x0000000008894000-memory.dmp

Filesize
5.6MB

Download
memory/3788-153-0x0000000006120000-0x0000000006738000-memory.dmp

Filesize
6.1MB

Download
memory/3788-159-0x00000000057F0000-0x0000000005856000-memory.dmp

Filesize
408KB

Download
memory/3788-161-0x0000000008DD0000-0x00000000092FC000-memory.dmp

Filesize
5.2MB

Download
memory/3788-162-0x00000000080E0000-0x0000000008156000-memory.dmp

Filesize
472KB

Download
memory/3788-163-0x0000000007BC0000-0x0000000007C10000-memory.dmp

Filesize
320KB

Download
memory/3788-143-0x0000000000B90000-0x0000000000BB8000-memory.dmp

Filesize
160KB

Download
memory/3788-141-0x0000000000000000-mapping.dmp

Download
memory/3788-158-0x00000000012F0000-0x0000000001382000-memory.dmp

Filesize
584KB

Download
memory/3788-160-0x0000000007D40000-0x0000000007F02000-memory.dmp

Filesize
1.8MB

Download
memory/3788-154-0x0000000007AB0000-0x0000000007BBA000-memory.dmp

Filesize
1.0MB

Download
memory/3800-136-0x0000000000000000-mapping.dmp

Download
memory/4064-233-0x0000000000000000-mapping.dmp

Download
memory/4072-242-0x000002C956400000-0x000002C956422000-memory.dmp

Filesize
136KB

Download
memory/4072-241-0x0000000000000000-mapping.dmp

Download
memory/4072-244-0x00007FFF56F90000-0x00007FFF57A51000-memory.dmp

Filesize
10.8MB

Download
memory/4388-164-0x0000000000000000-mapping.dmp

Download
memory/4412-221-0x0000000000000000-mapping.dmp

Download
memory/4444-231-0x0000000000000000-mapping.dmp

Download
memory/4448-229-0x0000000000000000-mapping.dmp

Download
memory/4524-170-0x0000000000B40000-0x0000000000B54000-memory.dmp

Filesize
80KB

Download
memory/4524-167-0x0000000000000000-mapping.dmp

Download
memory/4524-171-0x0000000005380000-0x000000000538A000-memory.dmp

Filesize
40KB

Download
memory/4544-232-0x0000000000000000-mapping.dmp

Download
memory/4696-230-0x0000000000000000-mapping.dmp

Download
memory/4824-217-0x0000000000000000-mapping.dmp

Download
memory/4844-191-0x0000000000000000-mapping.dmp

Download
memory/5076-172-0x0000000000000000-mapping.dmp

Download
memory/5076-175-0x0000000000B50000-0x000000000198B000-memory.dmp

Filesize
14.2MB

Download
memory/5076-195-0x0000000000B50000-0x000000000198B000-memory.dmp

Filesize
14.2MB

Download