Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
08-08-2023 20:00
Static task
static1
Behavioral task
behavioral1
Sample
e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe
Resource
win10-20230703-en
General
-
Target
e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe
-
Size
385KB
-
MD5
f235938a2a7b1712ec278123f70f7529
-
SHA1
28760a8523738bcfaf4e95b0de756d324ccc389d
-
SHA256
e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6
-
SHA512
c8ccaa244b7bd43fe9cfc68c3af17063d033726bf93a55311084d3ffd263606c2c0737b4e510073a7b4912de329cb51dbc9fe5d88c9238e57f7ec7240576c317
-
SSDEEP
6144:FnIvVNP8yPuW/UbnW9Pl997LEZKxmEq1Admg5b5FIXc5iDd:Fn8BuW/UTWrQOsoxkJDd
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
209.250.248.11:33522
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 3180 created 3188 3180 setup.exe 68 PID 3180 created 3188 3180 setup.exe 68 PID 3180 created 3188 3180 setup.exe 68 PID 3180 created 3188 3180 setup.exe 68 PID 3180 created 3188 3180 setup.exe 68 PID 3196 created 3188 3196 updater.exe 68 PID 3196 created 3188 3196 updater.exe 68 PID 3196 created 3188 3196 updater.exe 68 PID 3196 created 3188 3196 updater.exe 68 PID 3196 created 3188 3196 updater.exe 68 PID 3196 created 3188 3196 updater.exe 68 -
XMRig Miner payload 6 IoCs
resource yara_rule behavioral1/memory/3196-733-0x00007FF76F330000-0x00007FF770556000-memory.dmp xmrig behavioral1/memory/4672-736-0x00007FF699780000-0x00007FF699F6F000-memory.dmp xmrig behavioral1/memory/4672-738-0x00007FF699780000-0x00007FF699F6F000-memory.dmp xmrig behavioral1/memory/4672-740-0x00007FF699780000-0x00007FF699F6F000-memory.dmp xmrig behavioral1/memory/4672-742-0x00007FF699780000-0x00007FF699F6F000-memory.dmp xmrig behavioral1/memory/4672-744-0x00007FF699780000-0x00007FF699F6F000-memory.dmp xmrig -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts setup.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 4996 mi.exe 3180 setup.exe 3196 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000800000001b01f-160.dat themida behavioral1/files/0x000800000001b01f-159.dat themida behavioral1/memory/3180-161-0x00007FF713AF0000-0x00007FF714D16000-memory.dmp themida behavioral1/memory/3180-162-0x00007FF713AF0000-0x00007FF714D16000-memory.dmp themida behavioral1/memory/3180-164-0x00007FF713AF0000-0x00007FF714D16000-memory.dmp themida behavioral1/memory/3180-165-0x00007FF713AF0000-0x00007FF714D16000-memory.dmp themida behavioral1/memory/3180-166-0x00007FF713AF0000-0x00007FF714D16000-memory.dmp themida behavioral1/memory/3180-167-0x00007FF713AF0000-0x00007FF714D16000-memory.dmp themida behavioral1/memory/3180-168-0x00007FF713AF0000-0x00007FF714D16000-memory.dmp themida behavioral1/memory/3180-169-0x00007FF713AF0000-0x00007FF714D16000-memory.dmp themida behavioral1/memory/3180-244-0x00007FF713AF0000-0x00007FF714D16000-memory.dmp themida behavioral1/files/0x000800000001b021-269.dat themida behavioral1/memory/3180-270-0x00007FF713AF0000-0x00007FF714D16000-memory.dmp themida behavioral1/files/0x000800000001b021-272.dat themida behavioral1/memory/3196-274-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida behavioral1/memory/3196-273-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida behavioral1/memory/3196-276-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida behavioral1/memory/3196-277-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida behavioral1/memory/3196-278-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida behavioral1/memory/3196-279-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida behavioral1/memory/3196-280-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida behavioral1/memory/3196-281-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida behavioral1/memory/3196-282-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida behavioral1/memory/3196-698-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida behavioral1/files/0x000800000001b021-730.dat themida behavioral1/memory/3196-733-0x00007FF76F330000-0x00007FF770556000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3180 setup.exe 3196 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3196 set thread context of 3656 3196 updater.exe 112 PID 3196 set thread context of 4672 3196 updater.exe 113 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe setup.exe File created C:\Program Files\Google\Libs\WR64.sys updater.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4472 sc.exe 2940 sc.exe 5000 sc.exe 312 sc.exe 4492 sc.exe 4896 sc.exe 1764 sc.exe 3956 sc.exe 1344 sc.exe 3992 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4892 e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe 4892 e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe 4892 e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe 3180 setup.exe 3180 setup.exe 4488 powershell.exe 4488 powershell.exe 4488 powershell.exe 3180 setup.exe 3180 setup.exe 3180 setup.exe 3180 setup.exe 3180 setup.exe 3180 setup.exe 1848 powershell.exe 1848 powershell.exe 1848 powershell.exe 3180 setup.exe 3180 setup.exe 3196 updater.exe 3196 updater.exe 4340 powershell.exe 4340 powershell.exe 4340 powershell.exe 3196 updater.exe 3196 updater.exe 3196 updater.exe 3196 updater.exe 3196 updater.exe 3196 updater.exe 1824 powershell.exe 1824 powershell.exe 1824 powershell.exe 3196 updater.exe 3196 updater.exe 3196 updater.exe 3196 updater.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe 4672 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 628 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4892 e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeIncreaseQuotaPrivilege 4488 powershell.exe Token: SeSecurityPrivilege 4488 powershell.exe Token: SeTakeOwnershipPrivilege 4488 powershell.exe Token: SeLoadDriverPrivilege 4488 powershell.exe Token: SeSystemProfilePrivilege 4488 powershell.exe Token: SeSystemtimePrivilege 4488 powershell.exe Token: SeProfSingleProcessPrivilege 4488 powershell.exe Token: SeIncBasePriorityPrivilege 4488 powershell.exe Token: SeCreatePagefilePrivilege 4488 powershell.exe Token: SeBackupPrivilege 4488 powershell.exe Token: SeRestorePrivilege 4488 powershell.exe Token: SeShutdownPrivilege 4488 powershell.exe Token: SeDebugPrivilege 4488 powershell.exe Token: SeSystemEnvironmentPrivilege 4488 powershell.exe Token: SeRemoteShutdownPrivilege 4488 powershell.exe Token: SeUndockPrivilege 4488 powershell.exe Token: SeManageVolumePrivilege 4488 powershell.exe Token: 33 4488 powershell.exe Token: 34 4488 powershell.exe Token: 35 4488 powershell.exe Token: 36 4488 powershell.exe Token: SeShutdownPrivilege 1904 powercfg.exe Token: SeCreatePagefilePrivilege 1904 powercfg.exe Token: SeShutdownPrivilege 324 powercfg.exe Token: SeCreatePagefilePrivilege 324 powercfg.exe Token: SeShutdownPrivilege 3844 powercfg.exe Token: SeCreatePagefilePrivilege 3844 powercfg.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeShutdownPrivilege 4692 powercfg.exe Token: SeCreatePagefilePrivilege 4692 powercfg.exe Token: SeIncreaseQuotaPrivilege 1848 powershell.exe Token: SeSecurityPrivilege 1848 powershell.exe Token: SeTakeOwnershipPrivilege 1848 powershell.exe Token: SeLoadDriverPrivilege 1848 powershell.exe Token: SeSystemProfilePrivilege 1848 powershell.exe Token: SeSystemtimePrivilege 1848 powershell.exe Token: SeProfSingleProcessPrivilege 1848 powershell.exe Token: SeIncBasePriorityPrivilege 1848 powershell.exe Token: SeCreatePagefilePrivilege 1848 powershell.exe Token: SeBackupPrivilege 1848 powershell.exe Token: SeRestorePrivilege 1848 powershell.exe Token: SeShutdownPrivilege 1848 powershell.exe Token: SeDebugPrivilege 1848 powershell.exe Token: SeSystemEnvironmentPrivilege 1848 powershell.exe Token: SeRemoteShutdownPrivilege 1848 powershell.exe Token: SeUndockPrivilege 1848 powershell.exe Token: SeManageVolumePrivilege 1848 powershell.exe Token: 33 1848 powershell.exe Token: 34 1848 powershell.exe Token: 35 1848 powershell.exe Token: 36 1848 powershell.exe Token: SeIncreaseQuotaPrivilege 1848 powershell.exe Token: SeSecurityPrivilege 1848 powershell.exe Token: SeTakeOwnershipPrivilege 1848 powershell.exe Token: SeLoadDriverPrivilege 1848 powershell.exe Token: SeSystemProfilePrivilege 1848 powershell.exe Token: SeSystemtimePrivilege 1848 powershell.exe Token: SeProfSingleProcessPrivilege 1848 powershell.exe Token: SeIncBasePriorityPrivilege 1848 powershell.exe Token: SeCreatePagefilePrivilege 1848 powershell.exe Token: SeBackupPrivilege 1848 powershell.exe Token: SeRestorePrivilege 1848 powershell.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 4892 wrote to memory of 4996 4892 e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe 71 PID 4892 wrote to memory of 4996 4892 e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe 71 PID 4892 wrote to memory of 4996 4892 e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe 71 PID 4996 wrote to memory of 3180 4996 mi.exe 72 PID 4996 wrote to memory of 3180 4996 mi.exe 72 PID 1648 wrote to memory of 3956 1648 cmd.exe 79 PID 1648 wrote to memory of 3956 1648 cmd.exe 79 PID 1648 wrote to memory of 1344 1648 cmd.exe 80 PID 1648 wrote to memory of 1344 1648 cmd.exe 80 PID 1648 wrote to memory of 2940 1648 cmd.exe 81 PID 1648 wrote to memory of 2940 1648 cmd.exe 81 PID 1648 wrote to memory of 3992 1648 cmd.exe 82 PID 1648 wrote to memory of 3992 1648 cmd.exe 82 PID 1648 wrote to memory of 4492 1648 cmd.exe 83 PID 1648 wrote to memory of 4492 1648 cmd.exe 83 PID 4864 wrote to memory of 1904 4864 cmd.exe 88 PID 4864 wrote to memory of 1904 4864 cmd.exe 88 PID 4864 wrote to memory of 324 4864 cmd.exe 89 PID 4864 wrote to memory of 324 4864 cmd.exe 89 PID 4864 wrote to memory of 3844 4864 cmd.exe 90 PID 4864 wrote to memory of 3844 4864 cmd.exe 90 PID 4864 wrote to memory of 4692 4864 cmd.exe 91 PID 4864 wrote to memory of 4692 4864 cmd.exe 91 PID 3924 wrote to memory of 5000 3924 cmd.exe 99 PID 3924 wrote to memory of 5000 3924 cmd.exe 99 PID 3924 wrote to memory of 312 3924 cmd.exe 100 PID 3924 wrote to memory of 312 3924 cmd.exe 100 PID 3924 wrote to memory of 4896 3924 cmd.exe 101 PID 3924 wrote to memory of 4896 3924 cmd.exe 101 PID 3924 wrote to memory of 1764 3924 cmd.exe 102 PID 3924 wrote to memory of 1764 3924 cmd.exe 102 PID 3924 wrote to memory of 4472 3924 cmd.exe 103 PID 3924 wrote to memory of 4472 3924 cmd.exe 103 PID 440 wrote to memory of 5100 440 cmd.exe 108 PID 440 wrote to memory of 5100 440 cmd.exe 108 PID 440 wrote to memory of 3052 440 cmd.exe 109 PID 440 wrote to memory of 3052 440 cmd.exe 109 PID 440 wrote to memory of 3948 440 cmd.exe 110 PID 440 wrote to memory of 3948 440 cmd.exe 110 PID 440 wrote to memory of 3844 440 cmd.exe 111 PID 440 wrote to memory of 3844 440 cmd.exe 111 PID 3196 wrote to memory of 3656 3196 updater.exe 112 PID 3196 wrote to memory of 4672 3196 updater.exe 113
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3188
-
C:\Users\Admin\AppData\Local\Temp\e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe"C:\Users\Admin\AppData\Local\Temp\e0414dcf39d1df273d8c94d6a977c2443ae0d115e903dda528d87f5d1be10ec6.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3180
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:3956
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1344
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2940
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3992
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4492
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4692
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1848
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:3276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4340
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:5000
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:312
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4896
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1764
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4472
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:5100
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:3052
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:3948
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3844
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#syxapd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1824
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:3656
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4672
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3196
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
Filesize
1KB
MD557764768a0cf2739b907776569457fa9
SHA154f34c72014e2d069c17dcc837adc13aa6fb92f6
SHA2564791d7ec16b52bd26efd9645018d2bbfbc1aece13768177d3b8f515bc7016769
SHA5126536f3b38bc3475763addb279fe50ad1cf9ecf8fdd7a94ff49f4ef8a977c6d6b050d4508b4bbb8df8ab68acb78cf4e25f840e64bea7b0956aefd126916f98c8f
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
9.9MB
MD580b0b41decb53a01e8c87def18400267
SHA1885f327c4e91065486137ca96105190f7a29d0f9
SHA25610d8e7a04d05a2690a7e0cc30c10028eda0af680a8787f24cb9668ccbe46e1e1
SHA51219bd6c9ab0cfbba34e722f508fcb4a99ae78a0d71ef664b186034c78eda09a61ae63455f7958dd5a50ec6432c822b23582ca7c87309a37fcbbb28e5facf56c8e
-
Filesize
3KB
MD52d29fd3ae57f422e2b2121141dc82253
SHA1c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA25680a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
Filesize
9.7MB
MD584741bc02d2e9226a943aa03b6a4568d
SHA1617d01316011faf77fba30d49ae1e86ff988380a
SHA256fa1f99fdd5beab9a996ff3cb58886dc1811fd6e1ba444aee2d80d0d9b9d5ec93
SHA5121c95842c88f7d17a07fa2480281cbdff27136525c80a00387536a0843e040adcac37fd13166ab7f48398d28fd297c92d5c0d0ef4066e68297ea9f30179754379
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5573d77d4e77a445f5db769812a0be865
SHA17473d15ef2d3c6894edefd472f411c8e3209a99c
SHA2565ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c
SHA512af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5631f4b3792b263fdda6b265e93be4747
SHA11d6916097d419198bfdf78530d59d0d9f3e12d45
SHA2564e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976
SHA512e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe