Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows10-1703_x64 -
resource
win10-20230703-en -
resource tags
arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system -
submitted
15-08-2023 19:31
Static task
static1
Behavioral task
behavioral1
Sample
2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe
Resource
win10-20230703-en
General
-
Target
2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe
-
Size
319KB
-
MD5
dfef03be570d787f0981593f97621f8c
-
SHA1
2e6a5e890aa34d697500be0af0236762b5754d79
-
SHA256
2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4
-
SHA512
f84fae1ddbb369ad2341a829dc361297d989810266eec80c07f57a70e00a50a8ff3a0df56811380bdc7a2dc6849b523b4388d5dc01e95fe1740089becfe3b457
-
SSDEEP
3072:aXQUkNkeLxlvWAG7ahvIydlncBQ7H+4cj8zVL7FUT9AqLMd7CAuAPret8j4OiPaF:6feLLexeKydgQJcjGVL7MpidbJj41RO
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
51.83.170.21:19447
-
auth_value
3a050df92d0cf082b2cdaf87863616be
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
description pid Process procid_target PID 1716 created 3252 1716 setup.exe 30 PID 1716 created 3252 1716 setup.exe 30 PID 1716 created 3252 1716 setup.exe 30 PID 1716 created 3252 1716 setup.exe 30 PID 1716 created 3252 1716 setup.exe 30 PID 2404 created 3252 2404 updater.exe 30 PID 2404 created 3252 2404 updater.exe 30 PID 2404 created 3252 2404 updater.exe 30 PID 2404 created 3252 2404 updater.exe 30 PID 2404 created 3252 2404 updater.exe 30 PID 2404 created 3252 2404 updater.exe 30 -
XMRig Miner payload 3 IoCs
resource yara_rule behavioral1/memory/2404-738-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp xmrig behavioral1/memory/5096-742-0x00007FF697030000-0x00007FF69781F000-memory.dmp xmrig behavioral1/memory/5096-744-0x00007FF697030000-0x00007FF69781F000-memory.dmp xmrig -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\System32\drivers\etc\hosts setup.exe File created C:\Windows\System32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 3 IoCs
pid Process 4112 mi.exe 1716 setup.exe 2404 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000800000001b016-164.dat themida behavioral1/files/0x000800000001b016-165.dat themida behavioral1/memory/1716-166-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/memory/1716-167-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/memory/1716-169-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/memory/1716-170-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/memory/1716-171-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/memory/1716-172-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/memory/1716-173-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/memory/1716-174-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/memory/1716-175-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/memory/1716-200-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/files/0x000800000001b018-275.dat themida behavioral1/memory/1716-276-0x00007FF6093C0000-0x00007FF60A625000-memory.dmp themida behavioral1/files/0x000800000001b018-278.dat themida behavioral1/memory/2404-279-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida behavioral1/memory/2404-281-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida behavioral1/memory/2404-282-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida behavioral1/memory/2404-283-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida behavioral1/memory/2404-284-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida behavioral1/memory/2404-285-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida behavioral1/memory/2404-286-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida behavioral1/memory/2404-287-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida behavioral1/memory/2404-314-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida behavioral1/memory/2404-571-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida behavioral1/files/0x000800000001b018-736.dat themida behavioral1/memory/2404-738-0x00007FF7BC7E0000-0x00007FF7BDA45000-memory.dmp themida -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1716 setup.exe 2404 updater.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2404 set thread context of 4328 2404 updater.exe 113 PID 2404 set thread context of 5096 2404 updater.exe 114 -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Google\Libs\WR64.sys updater.exe File created C:\Program Files\Google\Chrome\updater.exe setup.exe -
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 772 sc.exe 2844 sc.exe 760 sc.exe 4852 sc.exe 2836 sc.exe 4928 sc.exe 1676 sc.exe 3160 sc.exe 4844 sc.exe 4464 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2872 2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe 2872 2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe 2872 2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe 1716 setup.exe 1716 setup.exe 4744 powershell.exe 4744 powershell.exe 4744 powershell.exe 1716 setup.exe 1716 setup.exe 1716 setup.exe 1716 setup.exe 1716 setup.exe 1716 setup.exe 4752 powershell.exe 4752 powershell.exe 4752 powershell.exe 1716 setup.exe 1716 setup.exe 2404 updater.exe 2404 updater.exe 2232 powershell.exe 2232 powershell.exe 2232 powershell.exe 2404 updater.exe 2404 updater.exe 2404 updater.exe 2404 updater.exe 2404 updater.exe 2404 updater.exe 760 powershell.exe 760 powershell.exe 760 powershell.exe 2404 updater.exe 2404 updater.exe 2404 updater.exe 2404 updater.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe 5096 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 640 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2872 2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe Token: SeDebugPrivilege 4744 powershell.exe Token: SeIncreaseQuotaPrivilege 4744 powershell.exe Token: SeSecurityPrivilege 4744 powershell.exe Token: SeTakeOwnershipPrivilege 4744 powershell.exe Token: SeLoadDriverPrivilege 4744 powershell.exe Token: SeSystemProfilePrivilege 4744 powershell.exe Token: SeSystemtimePrivilege 4744 powershell.exe Token: SeProfSingleProcessPrivilege 4744 powershell.exe Token: SeIncBasePriorityPrivilege 4744 powershell.exe Token: SeCreatePagefilePrivilege 4744 powershell.exe Token: SeBackupPrivilege 4744 powershell.exe Token: SeRestorePrivilege 4744 powershell.exe Token: SeShutdownPrivilege 4744 powershell.exe Token: SeDebugPrivilege 4744 powershell.exe Token: SeSystemEnvironmentPrivilege 4744 powershell.exe Token: SeRemoteShutdownPrivilege 4744 powershell.exe Token: SeUndockPrivilege 4744 powershell.exe Token: SeManageVolumePrivilege 4744 powershell.exe Token: 33 4744 powershell.exe Token: 34 4744 powershell.exe Token: 35 4744 powershell.exe Token: 36 4744 powershell.exe Token: SeShutdownPrivilege 2128 powercfg.exe Token: SeCreatePagefilePrivilege 2128 powercfg.exe Token: SeShutdownPrivilege 3756 powercfg.exe Token: SeCreatePagefilePrivilege 3756 powercfg.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeShutdownPrivilege 2456 powercfg.exe Token: SeCreatePagefilePrivilege 2456 powercfg.exe Token: SeShutdownPrivilege 2416 powercfg.exe Token: SeCreatePagefilePrivilege 2416 powercfg.exe Token: SeIncreaseQuotaPrivilege 4752 powershell.exe Token: SeSecurityPrivilege 4752 powershell.exe Token: SeTakeOwnershipPrivilege 4752 powershell.exe Token: SeLoadDriverPrivilege 4752 powershell.exe Token: SeSystemProfilePrivilege 4752 powershell.exe Token: SeSystemtimePrivilege 4752 powershell.exe Token: SeProfSingleProcessPrivilege 4752 powershell.exe Token: SeIncBasePriorityPrivilege 4752 powershell.exe Token: SeCreatePagefilePrivilege 4752 powershell.exe Token: SeBackupPrivilege 4752 powershell.exe Token: SeRestorePrivilege 4752 powershell.exe Token: SeShutdownPrivilege 4752 powershell.exe Token: SeDebugPrivilege 4752 powershell.exe Token: SeSystemEnvironmentPrivilege 4752 powershell.exe Token: SeRemoteShutdownPrivilege 4752 powershell.exe Token: SeUndockPrivilege 4752 powershell.exe Token: SeManageVolumePrivilege 4752 powershell.exe Token: 33 4752 powershell.exe Token: 34 4752 powershell.exe Token: 35 4752 powershell.exe Token: 36 4752 powershell.exe Token: SeIncreaseQuotaPrivilege 4752 powershell.exe Token: SeSecurityPrivilege 4752 powershell.exe Token: SeTakeOwnershipPrivilege 4752 powershell.exe Token: SeLoadDriverPrivilege 4752 powershell.exe Token: SeSystemProfilePrivilege 4752 powershell.exe Token: SeSystemtimePrivilege 4752 powershell.exe Token: SeProfSingleProcessPrivilege 4752 powershell.exe Token: SeIncBasePriorityPrivilege 4752 powershell.exe Token: SeCreatePagefilePrivilege 4752 powershell.exe Token: SeBackupPrivilege 4752 powershell.exe Token: SeRestorePrivilege 4752 powershell.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2872 wrote to memory of 4112 2872 2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe 71 PID 2872 wrote to memory of 4112 2872 2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe 71 PID 2872 wrote to memory of 4112 2872 2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe 71 PID 4112 wrote to memory of 1716 4112 mi.exe 72 PID 4112 wrote to memory of 1716 4112 mi.exe 72 PID 776 wrote to memory of 760 776 cmd.exe 79 PID 776 wrote to memory of 760 776 cmd.exe 79 PID 776 wrote to memory of 4852 776 cmd.exe 80 PID 776 wrote to memory of 4852 776 cmd.exe 80 PID 776 wrote to memory of 1676 776 cmd.exe 81 PID 776 wrote to memory of 1676 776 cmd.exe 81 PID 776 wrote to memory of 3160 776 cmd.exe 82 PID 776 wrote to memory of 3160 776 cmd.exe 82 PID 776 wrote to memory of 2836 776 cmd.exe 83 PID 776 wrote to memory of 2836 776 cmd.exe 83 PID 2016 wrote to memory of 2128 2016 cmd.exe 88 PID 2016 wrote to memory of 2128 2016 cmd.exe 88 PID 2016 wrote to memory of 3756 2016 cmd.exe 89 PID 2016 wrote to memory of 3756 2016 cmd.exe 89 PID 2016 wrote to memory of 2456 2016 cmd.exe 90 PID 2016 wrote to memory of 2456 2016 cmd.exe 90 PID 2016 wrote to memory of 2416 2016 cmd.exe 91 PID 2016 wrote to memory of 2416 2016 cmd.exe 91 PID 3708 wrote to memory of 4928 3708 cmd.exe 100 PID 3708 wrote to memory of 4928 3708 cmd.exe 100 PID 3708 wrote to memory of 772 3708 cmd.exe 101 PID 3708 wrote to memory of 772 3708 cmd.exe 101 PID 3708 wrote to memory of 4844 3708 cmd.exe 102 PID 3708 wrote to memory of 4844 3708 cmd.exe 102 PID 3708 wrote to memory of 2844 3708 cmd.exe 103 PID 3708 wrote to memory of 2844 3708 cmd.exe 103 PID 3708 wrote to memory of 4464 3708 cmd.exe 104 PID 3708 wrote to memory of 4464 3708 cmd.exe 104 PID 2164 wrote to memory of 3532 2164 cmd.exe 109 PID 2164 wrote to memory of 3532 2164 cmd.exe 109 PID 2164 wrote to memory of 2128 2164 cmd.exe 110 PID 2164 wrote to memory of 2128 2164 cmd.exe 110 PID 2164 wrote to memory of 2456 2164 cmd.exe 111 PID 2164 wrote to memory of 2456 2164 cmd.exe 111 PID 2164 wrote to memory of 5076 2164 cmd.exe 112 PID 2164 wrote to memory of 5076 2164 cmd.exe 112 PID 2404 wrote to memory of 4328 2404 updater.exe 113 PID 2404 wrote to memory of 5096 2404 updater.exe 114
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3252
-
C:\Users\Admin\AppData\Local\Temp\2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe"C:\Users\Admin\AppData\Local\Temp\2643820930556ff776701cad2950b82f28eef6155643c88922cce5d90db470c4.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Local\Temp\mi.exe"C:\Users\Admin\AppData\Local\Temp\mi.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\Temp\setup.exe"C:\Windows\Temp\setup.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1716
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4744
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:760
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4852
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:1676
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:3160
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:2836
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"2⤵PID:672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2232
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4928
-
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:772
-
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4844
-
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2844
-
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4464
-
-
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:3532
-
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2128
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:2456
-
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:5076
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#lwilj#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:760
-
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe2⤵PID:4328
-
-
C:\Windows\explorer.exeC:\Windows\explorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5096
-
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.8MB
MD5bc202c47461acbe8bef80e143eb3a364
SHA10ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA5123bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08
-
Filesize
9.8MB
MD5bc202c47461acbe8bef80e143eb3a364
SHA10ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA5123bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08
-
Filesize
9.8MB
MD5bc202c47461acbe8bef80e143eb3a364
SHA10ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA5123bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD553a16ee018610997541c412e7758527f
SHA136c9e429ca765342e354c279fbb5388ff9fcbd5c
SHA2567712d6588d7661f9d897453f32be02bf213aaa6b08087651b6808bfbdc1f2cb3
SHA5125557402e715c1bb07e2f494ceef26bdfb245aa3bf86b1caf9dc66051a0db44b81248320b5ef0748d11484e9979c74eef30352b45bfbcdb593b26d959ba46a9da
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
10.0MB
MD5aba23d7f60f40f4dee64fa440d5db6e6
SHA1dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA2566398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40
-
Filesize
10.0MB
MD5aba23d7f60f40f4dee64fa440d5db6e6
SHA1dde62462dc7887a6b3ba193eafb50da17ef40e67
SHA2566398817cc923cfad6178c53c6ba9da1f30c426cd183bfdf86889faba8b4732d6
SHA512ad89270a47e292c931f47da322c055e168b0c4e28de69a20cbf42db9e60fbd59ceb02c01d1c18b1c931d0f23d19230b1c6390d98f36048a3c581b78ffe75ce40
-
Filesize
3KB
MD52d29fd3ae57f422e2b2121141dc82253
SHA1c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA25680a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68
-
Filesize
9.8MB
MD5bc202c47461acbe8bef80e143eb3a364
SHA10ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA5123bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08
-
Filesize
9.8MB
MD5bc202c47461acbe8bef80e143eb3a364
SHA10ef433c2e54c4097f0ac3dc722fb9e4e7b7c2634
SHA256df144eec828ac28a99d5d148493b3a4c8f36fce79ea7c41c08511ff69d6762bb
SHA5123bec158714630e6d38867ddba74eda37e036fa2d31c3b3b83229ab593ee85e36c9964aebb31a847bb5b0e65932d8fcfe0860cb6b2a7a31c10204887daa018e08
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize3KB
MD5811d351aabd7b708fef7683cf5e29e15
SHA106fd89e5a575f45d411cf4b3a2d277e642e73dbb
SHA2560915139ab02088c3932bcc062ce22d4e9c81aa6df0eacd62900d73d7ad2d3b18
SHA512702d847c2aa3c9526ddf34249de06e58f5e3182d6ef66f77ddbdbbd2e9836026da6eacac2c892cf186d79bdc227a85c14f493b746c03233ef8820d981721c70a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5302a7c179ef577c237c5418fb770fd27
SHA1343ef00d1357a8d2ff6e1143541a8a29435ed30c
SHA2569e6b50764916c21c41d6e7c4999bdf27120c069ec7a9268100e1ce5df845149f
SHA512f2472371a322d0352772defb959ea0a9da0d5ca8f412f6abafac2e6547bcc8a53394a6fb81b488521fc256bfc9f3205d92c6b69d6d139bdb260fb46578946699