Analysis
-
max time kernel
185s -
max time network
303s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
29-07-2023 04:50
Static task
static1
Behavioral task
behavioral1
Sample
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe
Resource
win7-20230712-en
General
-
Target
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe
-
Size
6.5MB
-
MD5
89e9bc7a5d97370a0f4a35041a54a696
-
SHA1
c0e8572f48b2e5f83c39374f4175e35a5e7c2029
-
SHA256
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
-
SHA512
12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
SSDEEP
196608:3PbBDSjGzSuyKff2j6pdVY3d2dZo2tOuAX+W6+B6VJN1lev:3JKGzXuTwdZdLM+JS
Malware Config
Extracted
amadey
3.80
45.15.156.208/jd9dd3Vw/index.php
second.amadgood.com/jd9dd3Vw/index.php
Extracted
laplas
http://206.189.229.43
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral1/memory/1976-259-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 2568 created 1256 2568 rdpcllp.exe 12 PID 2568 created 1256 2568 rdpcllp.exe 12 PID 2568 created 1256 2568 rdpcllp.exe 12 PID 2568 created 1256 2568 rdpcllp.exe 12 PID 2568 created 1256 2568 rdpcllp.exe 12 PID 3036 created 1256 3036 updater.exe 12 PID 3036 created 1256 3036 updater.exe 12 PID 3036 created 1256 3036 updater.exe 12 PID 3036 created 1256 3036 updater.exe 12 PID 3036 created 1256 3036 updater.exe 12 PID 3036 created 1256 3036 updater.exe 12 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ taskhostclp.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ntlhost.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ rdpcllp.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts rdpcllp.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion rdpcllp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion rdpcllp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion taskhostclp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion taskhostclp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ntlhost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ntlhost.exe -
Executes dropped EXE 8 IoCs
pid Process 2764 oneetx.exe 1648 taskmask.exe 2568 rdpcllp.exe 860 taskhostclp.exe 2408 oneetx.exe 3036 updater.exe 2848 ntlhost.exe 2156 oneetx.exe -
Loads dropped DLL 6 IoCs
pid Process 2332 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe 2764 oneetx.exe 2764 oneetx.exe 2764 oneetx.exe 2216 taskeng.exe 860 taskhostclp.exe -
resource yara_rule behavioral1/files/0x0009000000016586-122.dat themida behavioral1/files/0x0009000000016586-128.dat themida behavioral1/memory/2568-132-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/files/0x0009000000016586-130.dat themida behavioral1/memory/2568-142-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/memory/2568-144-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/memory/2568-146-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/memory/2568-145-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/memory/2568-147-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/memory/2568-149-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/memory/2568-157-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/memory/2568-183-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/memory/2568-205-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/files/0x0009000000016586-237.dat themida behavioral1/memory/2568-239-0x000000013F110000-0x000000013FF5A000-memory.dmp themida behavioral1/files/0x0007000000016ce7-261.dat themida behavioral1/files/0x0007000000016ce7-265.dat themida behavioral1/memory/3036-266-0x000000013F270000-0x00000001400BA000-memory.dmp themida behavioral1/files/0x0007000000016ce7-333.dat themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" taskhostclp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rdpcllp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA taskhostclp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ntlhost.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2568 rdpcllp.exe 860 taskhostclp.exe 3036 updater.exe 2848 ntlhost.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1648 set thread context of 1976 1648 taskmask.exe 70 PID 3036 set thread context of 2424 3036 updater.exe 92 PID 3036 set thread context of 1364 3036 updater.exe 93 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe rdpcllp.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2436 sc.exe 2280 sc.exe 2892 sc.exe 1892 sc.exe 1060 sc.exe 1972 sc.exe 436 sc.exe 1736 sc.exe 1996 sc.exe 2128 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2944 schtasks.exe 1608 schtasks.exe 2988 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 8 Go-http-client/1.1 -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60b1dd54d8c1d901 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2332 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe 2764 oneetx.exe 2568 rdpcllp.exe 2568 rdpcllp.exe 1092 powershell.exe 2568 rdpcllp.exe 2568 rdpcllp.exe 2568 rdpcllp.exe 2568 rdpcllp.exe 2568 rdpcllp.exe 2568 rdpcllp.exe 1896 powershell.exe 2568 rdpcllp.exe 2568 rdpcllp.exe 1648 taskmask.exe 1648 taskmask.exe 2408 oneetx.exe 3036 updater.exe 3036 updater.exe 2960 powershell.exe 3036 updater.exe 3036 updater.exe 1976 aspnet_compiler.exe 1976 aspnet_compiler.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3012 powershell.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe 1364 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 464 Process not Found -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeDebugPrivilege 1092 powershell.exe Token: SeShutdownPrivilege 484 powercfg.exe Token: SeShutdownPrivilege 1908 powercfg.exe Token: SeShutdownPrivilege 1940 powercfg.exe Token: SeDebugPrivilege 1896 powershell.exe Token: SeDebugPrivilege 1648 taskmask.exe Token: SeShutdownPrivilege 2376 powercfg.exe Token: SeDebugPrivilege 1976 aspnet_compiler.exe Token: SeDebugPrivilege 2960 powershell.exe Token: SeShutdownPrivilege 2644 powercfg.exe Token: SeShutdownPrivilege 1060 powercfg.exe Token: SeDebugPrivilege 3012 powershell.exe Token: SeShutdownPrivilege 692 powercfg.exe Token: SeShutdownPrivilege 760 powercfg.exe Token: SeDebugPrivilege 3036 updater.exe Token: SeLockMemoryPrivilege 1364 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2332 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2764 2332 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe 28 PID 2332 wrote to memory of 2764 2332 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe 28 PID 2332 wrote to memory of 2764 2332 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe 28 PID 2332 wrote to memory of 2764 2332 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe 28 PID 2332 wrote to memory of 2764 2332 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe 28 PID 2332 wrote to memory of 2764 2332 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe 28 PID 2332 wrote to memory of 2764 2332 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe 28 PID 2764 wrote to memory of 2944 2764 oneetx.exe 29 PID 2764 wrote to memory of 2944 2764 oneetx.exe 29 PID 2764 wrote to memory of 2944 2764 oneetx.exe 29 PID 2764 wrote to memory of 2944 2764 oneetx.exe 29 PID 2764 wrote to memory of 2224 2764 oneetx.exe 31 PID 2764 wrote to memory of 2224 2764 oneetx.exe 31 PID 2764 wrote to memory of 2224 2764 oneetx.exe 31 PID 2764 wrote to memory of 2224 2764 oneetx.exe 31 PID 2224 wrote to memory of 2788 2224 cmd.exe 33 PID 2224 wrote to memory of 2788 2224 cmd.exe 33 PID 2224 wrote to memory of 2788 2224 cmd.exe 33 PID 2224 wrote to memory of 2788 2224 cmd.exe 33 PID 2224 wrote to memory of 2968 2224 cmd.exe 34 PID 2224 wrote to memory of 2968 2224 cmd.exe 34 PID 2224 wrote to memory of 2968 2224 cmd.exe 34 PID 2224 wrote to memory of 2968 2224 cmd.exe 34 PID 2224 wrote to memory of 2700 2224 cmd.exe 35 PID 2224 wrote to memory of 2700 2224 cmd.exe 35 PID 2224 wrote to memory of 2700 2224 cmd.exe 35 PID 2224 wrote to memory of 2700 2224 cmd.exe 35 PID 2224 wrote to memory of 1760 2224 cmd.exe 37 PID 2224 wrote to memory of 1760 2224 cmd.exe 37 PID 2224 wrote to memory of 1760 2224 cmd.exe 37 PID 2224 wrote to memory of 1760 2224 cmd.exe 37 PID 2224 wrote to memory of 2676 2224 cmd.exe 38 PID 2224 wrote to memory of 2676 2224 cmd.exe 38 PID 2224 wrote to memory of 2676 2224 cmd.exe 38 PID 2224 wrote to memory of 2676 2224 cmd.exe 38 PID 2224 wrote to memory of 2020 2224 cmd.exe 39 PID 2224 wrote to memory of 2020 2224 cmd.exe 39 PID 2224 wrote to memory of 2020 2224 cmd.exe 39 PID 2224 wrote to memory of 2020 2224 cmd.exe 39 PID 2764 wrote to memory of 1648 2764 oneetx.exe 41 PID 2764 wrote to memory of 1648 2764 oneetx.exe 41 PID 2764 wrote to memory of 1648 2764 oneetx.exe 41 PID 2764 wrote to memory of 1648 2764 oneetx.exe 41 PID 2764 wrote to memory of 2568 2764 oneetx.exe 42 PID 2764 wrote to memory of 2568 2764 oneetx.exe 42 PID 2764 wrote to memory of 2568 2764 oneetx.exe 42 PID 2764 wrote to memory of 2568 2764 oneetx.exe 42 PID 2764 wrote to memory of 860 2764 oneetx.exe 43 PID 2764 wrote to memory of 860 2764 oneetx.exe 43 PID 2764 wrote to memory of 860 2764 oneetx.exe 43 PID 2764 wrote to memory of 860 2764 oneetx.exe 43 PID 1900 wrote to memory of 2436 1900 cmd.exe 50 PID 1900 wrote to memory of 2436 1900 cmd.exe 50 PID 1900 wrote to memory of 2436 1900 cmd.exe 50 PID 1900 wrote to memory of 1060 1900 cmd.exe 88 PID 1900 wrote to memory of 1060 1900 cmd.exe 88 PID 1900 wrote to memory of 1060 1900 cmd.exe 88 PID 1900 wrote to memory of 1972 1900 cmd.exe 52 PID 1900 wrote to memory of 1972 1900 cmd.exe 52 PID 1900 wrote to memory of 1972 1900 cmd.exe 52 PID 1900 wrote to memory of 2280 1900 cmd.exe 53 PID 1900 wrote to memory of 2280 1900 cmd.exe 53 PID 1900 wrote to memory of 2280 1900 cmd.exe 53 PID 1900 wrote to memory of 436 1900 cmd.exe 54 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe"C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:2944
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2788
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:2968
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:2700
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:1760
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:N"5⤵PID:2676
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:R" /E5⤵PID:2020
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵PID:2592
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:860 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2848
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1092
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2436
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1060
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1972
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2280
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:436
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1896 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1608
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1968
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2620
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1820
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1736
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2892
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1996
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2128
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1892
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2988
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2852
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:692
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2424
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1364
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:484
-
C:\Windows\system32\taskeng.exetaskeng.exe {E3AF431A-CB8C-4FC7-96DD-748EC797B6AA} S-1-5-21-377084978-2088738870-2818360375-1000:DSWJWADP\Admin:Interactive:[1]1⤵PID:1520
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2408
-
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵
- Executes dropped EXE
PID:2156
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8B9E8347-A8FA-422B-BBD1-6FFAE0BE7D22} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:2216 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3036
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 01⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
2.2MB
MD5e899a1808b9ca1b53992dd68df084265
SHA12d7982b52e43461943748c280e166f707627e4f6
SHA256d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA5121d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1
-
Filesize
2.2MB
MD5e899a1808b9ca1b53992dd68df084265
SHA12d7982b52e43461943748c280e166f707627e4f6
SHA256d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA5121d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1
-
Filesize
2.2MB
MD5e899a1808b9ca1b53992dd68df084265
SHA12d7982b52e43461943748c280e166f707627e4f6
SHA256d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA5121d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
73KB
MD5066ebb934cbf5d30cd575eaf8219fd21
SHA10126b25a5d9dcf90655e5be386bbaa0790317d80
SHA256f4bb9d430f84e5c95313316149b8061cfd8a94086cd7a606277beb9bf02a81b2
SHA512a2ba7e35788a8332a254909e0068360fdfe8315180d1429f6da85c653e814c19f4b1509ceb3cceef087310f787a185439231f5b9f682dccc3a3a9b97c66b8a49
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5f0492bc602768244b35fd12d2bb06629
SHA1b3965c328a99a726e2d0d1a15d18ebd0fad6bd7a
SHA256a8ea72ac05cd4fd0c5de31232b77f908bfc6daefe1b6d7518c0053d944b21ed0
SHA5123759100e54f64ba3b71364c4a63c7681f06a15b5e00a6a4a78e3958e4d8a33804014a45b7f9153d7ba466e7a79d9347135539217c90ea16ede060b0e4ee2c479
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H7W8DGSO7GUP79CBECNI.temp
Filesize7KB
MD5f0492bc602768244b35fd12d2bb06629
SHA1b3965c328a99a726e2d0d1a15d18ebd0fad6bd7a
SHA256a8ea72ac05cd4fd0c5de31232b77f908bfc6daefe1b6d7518c0053d944b21ed0
SHA5123759100e54f64ba3b71364c4a63c7681f06a15b5e00a6a4a78e3958e4d8a33804014a45b7f9153d7ba466e7a79d9347135539217c90ea16ede060b0e4ee2c479
-
Filesize
813.0MB
MD517e9a9e536912fb90bf04747356c88bc
SHA1e7381cf2ce16647f6fa62baf1bd1a1bc7233d1ee
SHA256bff996229d6934d73b9264a2493fa471f2ceba9e6ec1c5b00cd27576122f3341
SHA51291a9cdda2541c93bb75a577b24406eac6660b8e87ed2a8c190dad34a36c75957d3adfbf24c29ff619ef772e588e75c6b808798b4bc0f3c0041b9f99aa475bf05
-
Filesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
2.2MB
MD5e899a1808b9ca1b53992dd68df084265
SHA12d7982b52e43461943748c280e166f707627e4f6
SHA256d3e44f4d004dd23433f3dbeb1532b853b645b6e213b0c5f5eee9a786bf0b762c
SHA5121d5796d8a3b911620393b2cce990cca5a94b0f440fbee1a8e43df54cbdb3dcf4cc7f8bbdc26246f1ecd6c77ace007fbad830fbbaf63a9c697254d5f85ce2acf1
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
813.0MB
MD517e9a9e536912fb90bf04747356c88bc
SHA1e7381cf2ce16647f6fa62baf1bd1a1bc7233d1ee
SHA256bff996229d6934d73b9264a2493fa471f2ceba9e6ec1c5b00cd27576122f3341
SHA51291a9cdda2541c93bb75a577b24406eac6660b8e87ed2a8c190dad34a36c75957d3adfbf24c29ff619ef772e588e75c6b808798b4bc0f3c0041b9f99aa475bf05