Analysis
-
max time kernel
142s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
01-08-2023 07:52
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20230712-en
General
-
Target
tmp.exe
-
Size
6.5MB
-
MD5
89e9bc7a5d97370a0f4a35041a54a696
-
SHA1
c0e8572f48b2e5f83c39374f4175e35a5e7c2029
-
SHA256
9b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
-
SHA512
12100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
SSDEEP
196608:3PbBDSjGzSuyKff2j6pdVY3d2dZo2tOuAX+W6+B6VJN1lev:3JKGzXuTwdZdLM+JS
Malware Config
Extracted
amadey
3.80
45.15.156.208/jd9dd3Vw/index.php
second.amadgood.com/jd9dd3Vw/index.php
Extracted
laplas
http://206.189.229.43
-
api_key
f52a5c9bc5eb2f51b22f04f3e85c301ac0170a650de6044773f0a8309fbdfb79
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 4 IoCs
resource yara_rule behavioral1/memory/2952-116-0x0000000000020000-0x00000000001F7000-memory.dmp family_redline behavioral1/memory/3040-118-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/3040-124-0x0000000000400000-0x000000000045A000-memory.dmp family_redline behavioral1/memory/3040-125-0x0000000000400000-0x000000000045A000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 2404 created 1228 2404 rdpcllp.exe 21 PID 2404 created 1228 2404 rdpcllp.exe 21 PID 2404 created 1228 2404 rdpcllp.exe 21 PID 2404 created 1228 2404 rdpcllp.exe 21 PID 2404 created 1228 2404 rdpcllp.exe 21 PID 640 created 1228 640 updater.exe 21 PID 640 created 1228 640 updater.exe 21 PID 640 created 1228 640 updater.exe 21 PID 640 created 1228 640 updater.exe 21 PID 640 created 1228 640 updater.exe 21 PID 640 created 1228 640 updater.exe 21 -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts rdpcllp.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 8 IoCs
pid Process 2824 oneetx.exe 2952 taskmask.exe 2404 rdpcllp.exe 1772 taskhostclp.exe 1612 ntlhost.exe 1944 oneetx.exe 640 updater.exe 1644 oneetx.exe -
Loads dropped DLL 10 IoCs
pid Process 3020 tmp.exe 2824 oneetx.exe 2824 oneetx.exe 2896 WerFault.exe 2896 WerFault.exe 2824 oneetx.exe 2896 WerFault.exe 2824 oneetx.exe 1772 taskhostclp.exe 2720 taskeng.exe -
resource yara_rule behavioral1/files/0x0008000000016ca2-133.dat themida behavioral1/files/0x0008000000016ca2-139.dat themida behavioral1/files/0x0008000000016ca2-141.dat themida behavioral1/memory/2404-144-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/memory/2404-143-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/memory/2404-156-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/memory/2404-158-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/memory/2404-159-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/memory/2404-160-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/memory/2404-165-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/memory/2404-179-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/memory/2404-190-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/memory/2404-229-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/files/0x0008000000016ca2-261.dat themida behavioral1/memory/2404-265-0x000000013FED0000-0x0000000140D1A000-memory.dmp themida behavioral1/files/0x0007000000016d85-266.dat themida behavioral1/memory/2720-269-0x000000013F9E0000-0x000000014082A000-memory.dmp themida behavioral1/files/0x0007000000016d85-270.dat themida behavioral1/memory/640-271-0x000000013F9E0000-0x000000014082A000-memory.dmp themida behavioral1/files/0x0007000000016d85-325.dat themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3408354897-1169622894-3874090110-1000\Software\Microsoft\Windows\CurrentVersion\Run\NTSystem = "C:\\Users\\Admin\\AppData\\Roaming\\NTSystem\\ntlhost.exe" taskhostclp.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 2404 rdpcllp.exe 1772 taskhostclp.exe 1612 ntlhost.exe 640 updater.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2952 set thread context of 3040 2952 taskmask.exe 43 PID 640 set thread context of 2268 640 updater.exe 94 PID 640 set thread context of 1852 640 updater.exe 95 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Chrome\updater.exe rdpcllp.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1404 sc.exe 2240 sc.exe 588 sc.exe 2808 sc.exe 1036 sc.exe 992 sc.exe 1528 sc.exe 2332 sc.exe 1556 sc.exe 1156 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2896 2952 WerFault.exe 40 -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2888 schtasks.exe 2832 schtasks.exe 1324 schtasks.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 9 Go-http-client/1.1 -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 50145b4e4dc4d901 powershell.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
pid Process 3020 tmp.exe 2824 oneetx.exe 2404 rdpcllp.exe 2404 rdpcllp.exe 112 powershell.exe 2404 rdpcllp.exe 2404 rdpcllp.exe 1944 oneetx.exe 2404 rdpcllp.exe 2404 rdpcllp.exe 2404 rdpcllp.exe 2404 rdpcllp.exe 2144 powershell.exe 3040 AppLaunch.exe 2404 rdpcllp.exe 2404 rdpcllp.exe 3040 AppLaunch.exe 640 updater.exe 640 updater.exe 1792 powershell.exe 640 updater.exe 640 updater.exe 640 updater.exe 640 updater.exe 640 updater.exe 640 updater.exe 2452 powershell.exe 1644 oneetx.exe 640 updater.exe 640 updater.exe 640 updater.exe 640 updater.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe 1852 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 468 Process not Found -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 112 powershell.exe Token: SeDebugPrivilege 3040 AppLaunch.exe Token: SeShutdownPrivilege 2852 powercfg.exe Token: SeDebugPrivilege 2144 powershell.exe Token: SeShutdownPrivilege 3028 powercfg.exe Token: SeShutdownPrivilege 3016 powercfg.exe Token: SeShutdownPrivilege 2756 powercfg.exe Token: SeDebugPrivilege 1792 powershell.exe Token: SeShutdownPrivilege 2116 powercfg.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeShutdownPrivilege 948 powercfg.exe Token: SeShutdownPrivilege 1936 powercfg.exe Token: SeShutdownPrivilege 2036 powercfg.exe Token: SeDebugPrivilege 640 updater.exe Token: SeLockMemoryPrivilege 1852 explorer.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3020 tmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2824 3020 tmp.exe 28 PID 3020 wrote to memory of 2824 3020 tmp.exe 28 PID 3020 wrote to memory of 2824 3020 tmp.exe 28 PID 3020 wrote to memory of 2824 3020 tmp.exe 28 PID 3020 wrote to memory of 2824 3020 tmp.exe 28 PID 3020 wrote to memory of 2824 3020 tmp.exe 28 PID 3020 wrote to memory of 2824 3020 tmp.exe 28 PID 2824 wrote to memory of 2888 2824 oneetx.exe 29 PID 2824 wrote to memory of 2888 2824 oneetx.exe 29 PID 2824 wrote to memory of 2888 2824 oneetx.exe 29 PID 2824 wrote to memory of 2888 2824 oneetx.exe 29 PID 2824 wrote to memory of 2984 2824 oneetx.exe 31 PID 2824 wrote to memory of 2984 2824 oneetx.exe 31 PID 2824 wrote to memory of 2984 2824 oneetx.exe 31 PID 2824 wrote to memory of 2984 2824 oneetx.exe 31 PID 2984 wrote to memory of 2752 2984 cmd.exe 33 PID 2984 wrote to memory of 2752 2984 cmd.exe 33 PID 2984 wrote to memory of 2752 2984 cmd.exe 33 PID 2984 wrote to memory of 2752 2984 cmd.exe 33 PID 2984 wrote to memory of 2788 2984 cmd.exe 34 PID 2984 wrote to memory of 2788 2984 cmd.exe 34 PID 2984 wrote to memory of 2788 2984 cmd.exe 34 PID 2984 wrote to memory of 2788 2984 cmd.exe 34 PID 2984 wrote to memory of 1140 2984 cmd.exe 35 PID 2984 wrote to memory of 1140 2984 cmd.exe 35 PID 2984 wrote to memory of 1140 2984 cmd.exe 35 PID 2984 wrote to memory of 1140 2984 cmd.exe 35 PID 2984 wrote to memory of 2052 2984 cmd.exe 36 PID 2984 wrote to memory of 2052 2984 cmd.exe 36 PID 2984 wrote to memory of 2052 2984 cmd.exe 36 PID 2984 wrote to memory of 2052 2984 cmd.exe 36 PID 2984 wrote to memory of 2468 2984 cmd.exe 37 PID 2984 wrote to memory of 2468 2984 cmd.exe 37 PID 2984 wrote to memory of 2468 2984 cmd.exe 37 PID 2984 wrote to memory of 2468 2984 cmd.exe 37 PID 2984 wrote to memory of 2276 2984 cmd.exe 38 PID 2984 wrote to memory of 2276 2984 cmd.exe 38 PID 2984 wrote to memory of 2276 2984 cmd.exe 38 PID 2984 wrote to memory of 2276 2984 cmd.exe 38 PID 2824 wrote to memory of 2952 2824 oneetx.exe 40 PID 2824 wrote to memory of 2952 2824 oneetx.exe 40 PID 2824 wrote to memory of 2952 2824 oneetx.exe 40 PID 2824 wrote to memory of 2952 2824 oneetx.exe 40 PID 2952 wrote to memory of 3040 2952 taskmask.exe 43 PID 2952 wrote to memory of 3040 2952 taskmask.exe 43 PID 2952 wrote to memory of 3040 2952 taskmask.exe 43 PID 2952 wrote to memory of 3040 2952 taskmask.exe 43 PID 2952 wrote to memory of 3040 2952 taskmask.exe 43 PID 2952 wrote to memory of 3040 2952 taskmask.exe 43 PID 2952 wrote to memory of 3040 2952 taskmask.exe 43 PID 2952 wrote to memory of 3040 2952 taskmask.exe 43 PID 2952 wrote to memory of 3040 2952 taskmask.exe 43 PID 2952 wrote to memory of 2896 2952 taskmask.exe 44 PID 2952 wrote to memory of 2896 2952 taskmask.exe 44 PID 2952 wrote to memory of 2896 2952 taskmask.exe 44 PID 2952 wrote to memory of 2896 2952 taskmask.exe 44 PID 2824 wrote to memory of 2404 2824 oneetx.exe 45 PID 2824 wrote to memory of 2404 2824 oneetx.exe 45 PID 2824 wrote to memory of 2404 2824 oneetx.exe 45 PID 2824 wrote to memory of 2404 2824 oneetx.exe 45 PID 2824 wrote to memory of 1772 2824 oneetx.exe 46 PID 2824 wrote to memory of 1772 2824 oneetx.exe 46 PID 2824 wrote to memory of 1772 2824 oneetx.exe 46 PID 2824 wrote to memory of 1772 2824 oneetx.exe 46
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1228
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN oneetx.exe /TR "C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe" /F4⤵
- Creates scheduled task(s)
PID:2888
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "oneetx.exe" /P "Admin:N"&&CACLS "oneetx.exe" /P "Admin:R" /E&&echo Y|CACLS "..\eb0f58bce7" /P "Admin:N"&&CACLS "..\eb0f58bce7" /P "Admin:R" /E&&Exit4⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2752
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:N"5⤵PID:2788
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "oneetx.exe" /P "Admin:R" /E5⤵PID:1140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"5⤵PID:2052
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:N"5⤵PID:2468
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\eb0f58bce7" /P "Admin:R" /E5⤵PID:2276
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"C:\Users\Admin\AppData\Local\Temp\1000127001\taskmask.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 365⤵
- Loads dropped DLL
- Program crash
PID:2896
-
-
-
C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"C:\Users\Admin\AppData\Local\Temp\1000128101\rdpcllp.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2404
-
-
C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"C:\Users\Admin\AppData\Local\Temp\1000129001\taskhostclp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1772 -
C:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exeC:\Users\Admin\AppData\Roaming\NTSystem\ntlhost.exe5⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1612
-
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:112
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:1732
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2240
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:588
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1528
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2808
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2332
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2864
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2852
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:2832
-
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1792
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3032
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1556
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1036
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1404
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1156
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:992
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:2692
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2116
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:948
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2036
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fyhjjuwy#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452 -
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"3⤵
- Creates scheduled task(s)
PID:1324
-
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:2268
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1852
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {427875FE-C1E7-498F-BF01-C8FC8EBACC2F} S-1-5-21-3408354897-1169622894-3874090110-1000:WGWIREOE\Admin:Interactive:[1]1⤵PID:1692
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1944
-
-
C:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exeC:\Users\Admin\AppData\Local\Temp\eb0f58bce7\oneetx.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1644
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {02FA4BCC-B3E4-4C46-9F5A-18C19A0AE212} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
PID:2720 -
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:640
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
1.8MB
MD55538392914fc8bc5abbc165f87993ffa
SHA1c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841
-
Filesize
1.8MB
MD55538392914fc8bc5abbc165f87993ffa
SHA1c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
70KB
MD5efb6ebc2a900e6cc24768e118f0f20c5
SHA152469f10f4c30fcb5e8b5be81f14e07db616bb8f
SHA2568b3667f8727a415af57dedcd0676654eed265987a3f025d55bcafa9325f7ac8d
SHA512cbb79bf1b70f18fcc1c0d0b3902e711180ed09c77a435b43e59f5292bf461075447c4535961e3e3320197ebc8c513098fb5f9b028e330b0da7239c52913c1c65
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5dd17d73652822a53d0462028c1a82a3b
SHA14a63c90dcf70bab6a4222ec3de7764ab1c311282
SHA256848b06e91b5e747fd9f21c8a220e28b29b2a597f500318e01e951aa0a8f3c722
SHA512f9f831a79d237b6b6fec48676752f37a4f0a5e2efabc78fff4fe16fef7c4362c88c46e12bf660f34207151b305192000b176971e1cbd0cdd7e3d126b2badf22d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KBACVLQ2X0YUKO6HZ5P4.temp
Filesize7KB
MD5dd17d73652822a53d0462028c1a82a3b
SHA14a63c90dcf70bab6a4222ec3de7764ab1c311282
SHA256848b06e91b5e747fd9f21c8a220e28b29b2a597f500318e01e951aa0a8f3c722
SHA512f9f831a79d237b6b6fec48676752f37a4f0a5e2efabc78fff4fe16fef7c4362c88c46e12bf660f34207151b305192000b176971e1cbd0cdd7e3d126b2badf22d
-
Filesize
498.2MB
MD57dac03689ad2c4a751541ce40c6b4984
SHA13b3232db2585f1a6286d4cd9c4af1c395372172b
SHA2560d96815852011078c015ef9cc09d1616a787c367f57b626a5251f27ad7f9fc8f
SHA51225083286030e2419c1727b1ae9a11750ea33fd6379868113c6c54d7d692689b3d11db60bf74672d1fa98d019c4ed911085eb13d181f430612d6d3389eb9ed100
-
Filesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
1.8MB
MD55538392914fc8bc5abbc165f87993ffa
SHA1c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841
-
Filesize
1.8MB
MD55538392914fc8bc5abbc165f87993ffa
SHA1c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841
-
Filesize
1.8MB
MD55538392914fc8bc5abbc165f87993ffa
SHA1c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841
-
Filesize
1.8MB
MD55538392914fc8bc5abbc165f87993ffa
SHA1c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841
-
Filesize
1.8MB
MD55538392914fc8bc5abbc165f87993ffa
SHA1c8ab809922cfb2992d7abf93eb9e2836c5b913c1
SHA256c341e550f75d942d196e5e1fcd4dcf675cc493fe6a1a1b80eb09ab284e2b25d2
SHA512a451009939104e114c80066d81150df2f4d2370e6cfa705222be62d2d6b59975c8d4dd701e0e0fd9c7df39f0c539509ba8f4b9461d7d8271e95ad860c9485841
-
Filesize
8.4MB
MD5768200a76def472e675539094047bed9
SHA124bc17689541656a8a12902c7f19bd991193ca50
SHA25679ff7ea339f95a557cec5e39d944118af6c105c29736e448d5aad60368eae5af
SHA512143cfc563ebd3f57192adc4484ba0b4b246c4b63d3f10b0e90e83ea841ea83488636233eb58a8217fd1a9dd825075f28e0b1f858bc9e4a5fd5abb6e0712fabbb
-
Filesize
4.0MB
MD53258deefff3ca70f3dfa3e67067ca611
SHA1a28ec103c22b03f381dd72073cf620b11881b7b7
SHA25611c3e7a62b3e78c6ec720aea618bf0a3854ad42535f888532c3e206f3724db4c
SHA512541eec13adbb3afcc6ee0cfea2d1ddd71036a0da9be5fe6919a2becca5dc23089754d2e5bfd15886cd8e3981f982e40d28bb467132cfdf04844d930ca612b3b8
-
Filesize
6.5MB
MD589e9bc7a5d97370a0f4a35041a54a696
SHA1c0e8572f48b2e5f83c39374f4175e35a5e7c2029
SHA2569b6b6c5cf8dbafd06176a1f8e5a7cf7fc78a5ffb86df627e6de4eb455506b847
SHA51212100def3ac697a0fce815a3be2e41bb62f47f8a60b273c3cf367096c231c86110903322d8f351d8609f7f5f72f5aaf45d6539e09972c54221697820ece570f2
-
Filesize
489.0MB
MD59e44b0fcc6d9c618e284a08c11a1f483
SHA1da04d3bd6c2a066652843d0fefdcebbe77757d41
SHA2561fe18168913b9ff846a6682137121583ee7be53ea507accbc40f71d7a0dbe57b
SHA512c1d1a0f9f9afece76af7ed153687aafb62a16a91d06d5b4e3ffbc654ee0800f32a804e8c1a3238c45013852e6dd7ae4a55f19567c209fe8a06a5e9ce3e9fe9af