Analysis
-
max time kernel
149s -
max time network
131s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
07-08-2023 23:40
Static task
static1
Behavioral task
behavioral1
Sample
5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe
Resource
win10-20230703-en
General
-
Target
5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe
-
Size
290KB
-
MD5
4864e1921b46bc11d2358c1985d35cf3
-
SHA1
a4733168416deba2249b5f8625479858f27b7fe6
-
SHA256
5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180
-
SHA512
c659ee82077c32e3fa442888371b3ad51faf8c2426955787a5c4be391b06c476b7a03dc02d80c62c9cd29998a4c7b60d9ad19a0bf679825ead964be9019fee70
-
SSDEEP
6144:AzrjLerWERoJs+I/lx59cHMjfqt55W1SEiZ65jQUx:YjiKERo++mjJT1liZ657
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
209.250.248.11:33522
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 4104 created 3260 4104 setup.exe 36 PID 4104 created 3260 4104 setup.exe 36 PID 4104 created 3260 4104 setup.exe 36 PID 4104 created 3260 4104 setup.exe 36 PID 4104 created 3260 4104 setup.exe 36 PID 2792 created 3260 2792 updater.exe 36 PID 2792 created 3260 2792 updater.exe 36 PID 2792 created 3260 2792 updater.exe 36 PID 2792 created 3260 2792 updater.exe 36 PID 2792 created 3260 2792 updater.exe 36 PID 2792 created 3260 2792 updater.exe 36 -
XMRig Miner payload 7 IoCs
resource yara_rule behavioral1/memory/2792-732-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp xmrig behavioral1/memory/5000-736-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp xmrig behavioral1/memory/5000-738-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp xmrig behavioral1/memory/5000-740-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp xmrig behavioral1/memory/5000-742-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp xmrig behavioral1/memory/5000-744-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp xmrig behavioral1/memory/5000-746-0x00007FF7AEBF0000-0x00007FF7AF3DF000-memory.dmp xmrig -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts setup.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 3032 mi.exe 4104 setup.exe 2792 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000800000001afa3-161.dat themida behavioral1/files/0x000800000001afa3-160.dat themida behavioral1/memory/4104-162-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp themida behavioral1/memory/4104-163-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp themida behavioral1/memory/4104-165-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp themida behavioral1/memory/4104-166-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp themida behavioral1/memory/4104-167-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp themida behavioral1/memory/4104-168-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp themida behavioral1/memory/4104-169-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp themida behavioral1/memory/4104-170-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp themida behavioral1/memory/4104-171-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp themida behavioral1/files/0x000800000001afa5-271.dat themida behavioral1/memory/4104-272-0x00007FF66CA40000-0x00007FF66DC66000-memory.dmp themida behavioral1/files/0x000800000001afa5-274.dat themida behavioral1/memory/2792-275-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp themida behavioral1/memory/2792-277-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp themida behavioral1/memory/2792-278-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp themida behavioral1/memory/2792-279-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp themida behavioral1/memory/2792-280-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp themida behavioral1/memory/2792-281-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp themida behavioral1/memory/2792-282-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp themida behavioral1/memory/2792-283-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp themida behavioral1/memory/2792-442-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp themida behavioral1/files/0x000800000001afa5-730.dat themida behavioral1/memory/2792-732-0x00007FF6934A0000-0x00007FF6946C6000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4104 setup.exe 2792 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2792 set thread context of 4972 2792 updater.exe 112 PID 2792 set thread context of 5000 2792 updater.exe 113 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe setup.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 2656 sc.exe 4636 sc.exe 3756 sc.exe 2660 sc.exe 4232 sc.exe 2188 sc.exe 2192 sc.exe 4484 sc.exe 4568 sc.exe 4200 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5024 5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe 5024 5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe 5024 5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe 4104 setup.exe 4104 setup.exe 3240 powershell.exe 3240 powershell.exe 3240 powershell.exe 4104 setup.exe 4104 setup.exe 4104 setup.exe 4104 setup.exe 4104 setup.exe 4104 setup.exe 5076 powershell.exe 5076 powershell.exe 5076 powershell.exe 4104 setup.exe 4104 setup.exe 2792 updater.exe 2792 updater.exe 4016 powershell.exe 4016 powershell.exe 4016 powershell.exe 2792 updater.exe 2792 updater.exe 2792 updater.exe 2792 updater.exe 2792 updater.exe 2792 updater.exe 664 powershell.exe 664 powershell.exe 664 powershell.exe 2792 updater.exe 2792 updater.exe 2792 updater.exe 2792 updater.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe 5000 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 628 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5024 5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe Token: SeDebugPrivilege 3240 powershell.exe Token: SeIncreaseQuotaPrivilege 3240 powershell.exe Token: SeSecurityPrivilege 3240 powershell.exe Token: SeTakeOwnershipPrivilege 3240 powershell.exe Token: SeLoadDriverPrivilege 3240 powershell.exe Token: SeSystemProfilePrivilege 3240 powershell.exe Token: SeSystemtimePrivilege 3240 powershell.exe Token: SeProfSingleProcessPrivilege 3240 powershell.exe Token: SeIncBasePriorityPrivilege 3240 powershell.exe Token: SeCreatePagefilePrivilege 3240 powershell.exe Token: SeBackupPrivilege 3240 powershell.exe Token: SeRestorePrivilege 3240 powershell.exe Token: SeShutdownPrivilege 3240 powershell.exe Token: SeDebugPrivilege 3240 powershell.exe Token: SeSystemEnvironmentPrivilege 3240 powershell.exe Token: SeRemoteShutdownPrivilege 3240 powershell.exe Token: SeUndockPrivilege 3240 powershell.exe Token: SeManageVolumePrivilege 3240 powershell.exe Token: 33 3240 powershell.exe Token: 34 3240 powershell.exe Token: 35 3240 powershell.exe Token: 36 3240 powershell.exe Token: SeShutdownPrivilege 4228 powercfg.exe Token: SeCreatePagefilePrivilege 4228 powercfg.exe Token: SeShutdownPrivilege 3248 powercfg.exe Token: SeCreatePagefilePrivilege 3248 powercfg.exe Token: SeDebugPrivilege 5076 powershell.exe Token: SeShutdownPrivilege 1940 powercfg.exe Token: SeCreatePagefilePrivilege 1940 powercfg.exe Token: SeShutdownPrivilege 4584 powercfg.exe Token: SeCreatePagefilePrivilege 4584 powercfg.exe Token: SeIncreaseQuotaPrivilege 5076 powershell.exe Token: SeSecurityPrivilege 5076 powershell.exe Token: SeTakeOwnershipPrivilege 5076 powershell.exe Token: SeLoadDriverPrivilege 5076 powershell.exe Token: SeSystemProfilePrivilege 5076 powershell.exe Token: SeSystemtimePrivilege 5076 powershell.exe Token: SeProfSingleProcessPrivilege 5076 powershell.exe Token: SeIncBasePriorityPrivilege 5076 powershell.exe Token: SeCreatePagefilePrivilege 5076 powershell.exe Token: SeBackupPrivilege 5076 powershell.exe Token: SeRestorePrivilege 5076 powershell.exe Token: SeShutdownPrivilege 5076 powershell.exe Token: SeDebugPrivilege 5076 powershell.exe Token: SeSystemEnvironmentPrivilege 5076 powershell.exe Token: SeRemoteShutdownPrivilege 5076 powershell.exe Token: SeUndockPrivilege 5076 powershell.exe Token: SeManageVolumePrivilege 5076 powershell.exe Token: 33 5076 powershell.exe Token: 34 5076 powershell.exe Token: 35 5076 powershell.exe Token: 36 5076 powershell.exe Token: SeIncreaseQuotaPrivilege 5076 powershell.exe Token: SeSecurityPrivilege 5076 powershell.exe Token: SeTakeOwnershipPrivilege 5076 powershell.exe Token: SeLoadDriverPrivilege 5076 powershell.exe Token: SeSystemProfilePrivilege 5076 powershell.exe Token: SeSystemtimePrivilege 5076 powershell.exe Token: SeProfSingleProcessPrivilege 5076 powershell.exe Token: SeIncBasePriorityPrivilege 5076 powershell.exe Token: SeCreatePagefilePrivilege 5076 powershell.exe Token: SeBackupPrivilege 5076 powershell.exe Token: SeRestorePrivilege 5076 powershell.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 5024 wrote to memory of 3032 5024 5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe 71 PID 5024 wrote to memory of 3032 5024 5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe 71 PID 5024 wrote to memory of 3032 5024 5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe 71 PID 3032 wrote to memory of 4104 3032 mi.exe 72 PID 3032 wrote to memory of 4104 3032 mi.exe 72 PID 4996 wrote to memory of 2656 4996 cmd.exe 79 PID 4996 wrote to memory of 2656 4996 cmd.exe 79 PID 4996 wrote to memory of 2188 4996 cmd.exe 80 PID 4996 wrote to memory of 2188 4996 cmd.exe 80 PID 4996 wrote to memory of 2192 4996 cmd.exe 81 PID 4996 wrote to memory of 2192 4996 cmd.exe 81 PID 4996 wrote to memory of 4484 4996 cmd.exe 82 PID 4996 wrote to memory of 4484 4996 cmd.exe 82 PID 4996 wrote to memory of 4636 4996 cmd.exe 83 PID 4996 wrote to memory of 4636 4996 cmd.exe 83 PID 2228 wrote to memory of 4228 2228 cmd.exe 88 PID 2228 wrote to memory of 4228 2228 cmd.exe 88 PID 2228 wrote to memory of 3248 2228 cmd.exe 89 PID 2228 wrote to memory of 3248 2228 cmd.exe 89 PID 2228 wrote to memory of 1940 2228 cmd.exe 90 PID 2228 wrote to memory of 1940 2228 cmd.exe 90 PID 2228 wrote to memory of 4584 2228 cmd.exe 91 PID 2228 wrote to memory of 4584 2228 cmd.exe 91 PID 2144 wrote to memory of 4568 2144 cmd.exe 99 PID 2144 wrote to memory of 4568 2144 cmd.exe 99 PID 2144 wrote to memory of 3756 2144 cmd.exe 100 PID 2144 wrote to memory of 3756 2144 cmd.exe 100 PID 2144 wrote to memory of 4200 2144 cmd.exe 101 PID 2144 wrote to memory of 4200 2144 cmd.exe 101 PID 2144 wrote to memory of 2660 2144 cmd.exe 102 PID 2144 wrote to memory of 2660 2144 cmd.exe 102 PID 2144 wrote to memory of 4232 2144 cmd.exe 103 PID 2144 wrote to memory of 4232 2144 cmd.exe 103 PID 5108 wrote to memory of 2656 5108 cmd.exe 108 PID 5108 wrote to memory of 2656 5108 cmd.exe 108 PID 5108 wrote to memory of 2088 5108 cmd.exe 109 PID 5108 wrote to memory of 2088 5108 cmd.exe 109 PID 5108 wrote to memory of 4492 5108 cmd.exe 110 PID 5108 wrote to memory of 4492 5108 cmd.exe 110 PID 5108 wrote to memory of 2588 5108 cmd.exe 111 PID 5108 wrote to memory of 2588 5108 cmd.exe 111 PID 2792 wrote to memory of 4972 2792 updater.exe 112 PID 2792 wrote to memory of 5000 2792 updater.exe 113
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3260
-
C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe"C:\Users\Admin\AppData\Local\Temp\5303b4aea2db43e76bad4f1e0a4dfed6a1d7e1b0698d6b20366deee89253a180.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4104
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3240
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2656
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:2188
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2192
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:4484
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4636
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4228
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3248
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1940
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5076
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4016
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4568
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3756
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4200
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2660
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4232
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2656
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2088
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4492
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:2588
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:664
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4972
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5000
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2792
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5aced43cf55054d924b787b696079357c
SHA107e7eb1516ad8a95d773995a62353b419f92b776
SHA256a41c1aec4f0f26866d3adb50dbe37a2be5e2294ac5dde60dfc7ce7a624cf646b
SHA512d45be51d0aba76a771f8e653c4e71a0758382fbc70a8c000372d308c5e876fa0cdd78485df1298c159d332024acba53e3384e688929362e22226236eb25bc67e
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
3KB
MD52d29fd3ae57f422e2b2121141dc82253
SHA1c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA25680a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5811d351aabd7b708fef7683cf5e29e15
SHA106fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA2560915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5302a7c179ef577c237c5418fb770fd27
SHA1343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA2569e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699