redline | 126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f

Analysis

max time kernel
179s
max time network
268s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 04:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe
Size

1.1MB
MD5

f5791bae13938a47f9d1aaf3072d03a1
SHA1

9e2f29b38dafa6953c21f48141215bf9e1eb0af1
SHA256

126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f
SHA512

a25788cc06095807612806e57f006c804bf2113b8673a68596a14eba14c75080853f8c68055e48a819ab4022f42bb7d803c1fb53f2393eb8337c8e93def3d977
SSDEEP

24576:bMkT2MJtLyH63kdA7HVX5UPsmKTgCXcEwF:3JtLyH60dmssPe

Score

10^/10

redline xmrig logsdiller cloud (bot: @logsdillabot)evasion infostealer miner spyware themida trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (Bot: @logsdillabot)

194.49.94.142:41292

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

resource	yara_rule
behavioral1/memory/1060-3-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1060-2-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1060-5-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1060-9-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline
behavioral1/memory/1060-7-0x0000000000400000-0x000000000043C000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 12 IoCs

description	pid	Process	procid_target
PID 2144 created 1280	2144	mi.exe	14
PID 2144 created 1280	2144	mi.exe	14
PID 2144 created 1280	2144	mi.exe	14
PID 2144 created 1280	2144	mi.exe	14
PID 2144 created 1280	2144	mi.exe	14
PID 2144 created 1280	2144	mi.exe	14
PID 1756 created 1280	1756	updater.exe	14
PID 1756 created 1280	1756	updater.exe	14
PID 1756 created 1280	1756	updater.exe	14
PID 1756 created 1280	1756	updater.exe	14
PID 1756 created 1280	1756	updater.exe	14
PID 1756 created 1280	1756	updater.exe	14

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	mi.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 19 IoCs

miner

resource	yara_rule
behavioral1/memory/1752-110-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-112-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-114-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-116-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-118-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-120-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-122-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-124-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-126-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-128-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-130-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-132-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-134-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-136-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-138-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-140-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-142-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-144-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig
behavioral1/memory/1752-146-0x0000000140000000-0x0000000140840000-memory.dmp	xmrig

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	mi.exe
File created	C:\Windows\System32\drivers\etc\hosts	updater.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	mi.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe

Executes dropped EXE 3 IoCs

pid	Process
2144	mi.exe
472	Process not Found
1756	updater.exe

Loads dropped DLL 1 IoCs

pid	Process
1060	AppLaunch.exe

Themida packer 24 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x0032000000014940-48.dat	themida
behavioral1/files/0x0032000000014940-50.dat	themida
behavioral1/memory/1060-51-0x0000000009600000-0x000000000A7DB000-memory.dmp	themida
behavioral1/memory/2144-52-0x000000013F380000-0x000000014055B000-memory.dmp	themida
behavioral1/memory/2144-53-0x000000013F380000-0x000000014055B000-memory.dmp	themida
behavioral1/memory/2144-55-0x000000013F380000-0x000000014055B000-memory.dmp	themida
behavioral1/memory/2144-57-0x000000013F380000-0x000000014055B000-memory.dmp	themida
behavioral1/memory/2144-58-0x000000013F380000-0x000000014055B000-memory.dmp	themida
behavioral1/memory/2144-59-0x000000013F380000-0x000000014055B000-memory.dmp	themida
behavioral1/memory/2144-70-0x000000013F380000-0x000000014055B000-memory.dmp	themida
behavioral1/memory/2144-72-0x000000013F380000-0x000000014055B000-memory.dmp	themida
behavioral1/files/0x0032000000014940-75.dat	themida
behavioral1/memory/2144-77-0x000000013F380000-0x000000014055B000-memory.dmp	themida
behavioral1/files/0x000d000000003d59-79.dat	themida
behavioral1/files/0x000d000000003d59-80.dat	themida
behavioral1/memory/1756-81-0x000000013F260000-0x000000014043B000-memory.dmp	themida
behavioral1/memory/1756-83-0x000000013F260000-0x000000014043B000-memory.dmp	themida
behavioral1/memory/1756-84-0x000000013F260000-0x000000014043B000-memory.dmp	themida
behavioral1/memory/1756-85-0x000000013F260000-0x000000014043B000-memory.dmp	themida
behavioral1/memory/1756-86-0x000000013F260000-0x000000014043B000-memory.dmp	themida
behavioral1/memory/1756-87-0x000000013F260000-0x000000014043B000-memory.dmp	themida
behavioral1/memory/1756-88-0x000000013F260000-0x000000014043B000-memory.dmp	themida
behavioral1/files/0x000d000000003d59-103.dat	themida
behavioral1/memory/1756-106-0x000000013F260000-0x000000014043B000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mi.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2144	mi.exe
1756	updater.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 1756 set thread context of 1808	1756	updater.exe	73
PID 1756 set thread context of 1752	1756	updater.exe	74

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\updater.exe	mi.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2076	sc.exe
2492	sc.exe
2840	sc.exe
524	sc.exe
544	sc.exe
2440	sc.exe
280	sc.exe
1428	sc.exe
2824	sc.exe
1896	sc.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1800	schtasks.exe
572	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = f0c669204818da01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1060	AppLaunch.exe
1060	AppLaunch.exe
1060	AppLaunch.exe
1060	AppLaunch.exe
2144	mi.exe
2144	mi.exe
2768	powershell.exe
2144	mi.exe
2144	mi.exe
2144	mi.exe
2144	mi.exe
2144	mi.exe
2144	mi.exe
2144	mi.exe
2144	mi.exe
2144	mi.exe
2144	mi.exe
1756	updater.exe
1756	updater.exe
2460	powershell.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1756	updater.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe
1752	explorer.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
472	Process not Found

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	1060	AppLaunch.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeShutdownPrivilege	996	powercfg.exe
Token: SeShutdownPrivilege	1704	powercfg.exe
Token: SeShutdownPrivilege	1144	powercfg.exe
Token: SeShutdownPrivilege	820	powercfg.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeShutdownPrivilege	340	powercfg.exe
Token: SeShutdownPrivilege	1240	powercfg.exe
Token: SeShutdownPrivilege	1584	powercfg.exe
Token: SeShutdownPrivilege	3056	powercfg.exe
Token: SeLockMemoryPrivilege	1752	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 2508 wrote to memory of 1060	2508	126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe	29
PID 1060 wrote to memory of 2144	1060	AppLaunch.exe	31
PID 1060 wrote to memory of 2144	1060	AppLaunch.exe	31
PID 1060 wrote to memory of 2144	1060	AppLaunch.exe	31
PID 1060 wrote to memory of 2144	1060	AppLaunch.exe	31
PID 1876 wrote to memory of 2824	1876	cmd.exe	36
PID 1876 wrote to memory of 2824	1876	cmd.exe	36
PID 1876 wrote to memory of 2824	1876	cmd.exe	36
PID 1876 wrote to memory of 2840	1876	cmd.exe	37
PID 1876 wrote to memory of 2840	1876	cmd.exe	37
PID 1876 wrote to memory of 2840	1876	cmd.exe	37
PID 1876 wrote to memory of 1896	1876	cmd.exe	38
PID 1876 wrote to memory of 1896	1876	cmd.exe	38
PID 1876 wrote to memory of 1896	1876	cmd.exe	38
PID 1876 wrote to memory of 524	1876	cmd.exe	39
PID 1876 wrote to memory of 524	1876	cmd.exe	39
PID 1876 wrote to memory of 524	1876	cmd.exe	39
PID 1876 wrote to memory of 544	1876	cmd.exe	40
PID 1876 wrote to memory of 544	1876	cmd.exe	40
PID 1876 wrote to memory of 544	1876	cmd.exe	40
PID 2976 wrote to memory of 996	2976	cmd.exe	45
PID 2976 wrote to memory of 996	2976	cmd.exe	45
PID 2976 wrote to memory of 996	2976	cmd.exe	45
PID 2976 wrote to memory of 1704	2976	cmd.exe	48
PID 2976 wrote to memory of 1704	2976	cmd.exe	48
PID 2976 wrote to memory of 1704	2976	cmd.exe	48
PID 2976 wrote to memory of 1144	2976	cmd.exe	49
PID 2976 wrote to memory of 1144	2976	cmd.exe	49
PID 2976 wrote to memory of 1144	2976	cmd.exe	49
PID 2976 wrote to memory of 820	2976	cmd.exe	50
PID 2976 wrote to memory of 820	2976	cmd.exe	50
PID 2976 wrote to memory of 820	2976	cmd.exe	50
PID 596 wrote to memory of 2076	596	cmd.exe	60
PID 596 wrote to memory of 2076	596	cmd.exe	60
PID 596 wrote to memory of 2076	596	cmd.exe	60
PID 596 wrote to memory of 2440	596	cmd.exe	61
PID 596 wrote to memory of 2440	596	cmd.exe	61
PID 596 wrote to memory of 2440	596	cmd.exe	61
PID 596 wrote to memory of 2492	596	cmd.exe	62
PID 596 wrote to memory of 2492	596	cmd.exe	62
PID 596 wrote to memory of 2492	596	cmd.exe	62
PID 596 wrote to memory of 280	596	cmd.exe	63
PID 596 wrote to memory of 280	596	cmd.exe	63
PID 596 wrote to memory of 280	596	cmd.exe	63
PID 596 wrote to memory of 1428	596	cmd.exe	64
PID 596 wrote to memory of 1428	596	cmd.exe	64
PID 596 wrote to memory of 1428	596	cmd.exe	64
PID 1908 wrote to memory of 340	1908	cmd.exe	69
PID 1908 wrote to memory of 340	1908	cmd.exe	69
PID 1908 wrote to memory of 340	1908	cmd.exe	69
PID 1908 wrote to memory of 1240	1908	cmd.exe	70
PID 1908 wrote to memory of 1240	1908	cmd.exe	70
PID 1908 wrote to memory of 1240	1908	cmd.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1280
- C:\Users\Admin\AppData\Local\Temp\126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe
  "C:\Users\Admin\AppData\Local\Temp\126e96c42263dc94d0101811de5b4d0b2e52868c07eee6af4183ee719252fb3f.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\mi.exe
      "C:\Users\Admin\AppData\Local\Temp\mi.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Drops file in Drivers directory
      Checks BIOS information in registry
      Executes dropped EXE
      Checks whether UAC is enabled
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      PID:2144
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2768
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2824
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2840
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1896
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:524
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:544
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1704
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1144
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:2948
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Users\Admin\AppData\Local\Temp\bgivzdldaodn.xml"
  2⤵
  - Creates scheduled task(s)
  PID:572
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:1164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2076
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2440
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2492
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:280
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:1428
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:340
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1240
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1584
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "GoogleUpdateTaskMachineQC" /xml "C:\Windows\TEMP\bgivzdldaodn.xml"
  2⤵
  - Creates scheduled task(s)
  PID:1800
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1808
- C:\Windows\explorer.exe
  C:\Windows\explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1752

C:\Program Files\Google\Chrome\updater.exe
"C:\Program Files\Google\Chrome\updater.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\updater.exe

Filesize
9.7MB

MD5
a37c5ab3596c1a6432f58fb27a2494f6

SHA1
9d1b6191aa25055956062a83fa46653c403fdf25

SHA256
3f1ab16fadf89c8da10816bb3084d426c7fc8cc268ffbeda86478c0e683863af

SHA512
ef27036d622c88edd9e025ff1d1cd997f897e416338a7d04d33cdc8cb7f88ed20b3e809b429b0b998211e01804f705d494d50686a8190769794526458512fe92

Download Submit
C:\Program Files\Google\Chrome\updater.exe

Filesize
9.7MB

MD5
a37c5ab3596c1a6432f58fb27a2494f6

SHA1
9d1b6191aa25055956062a83fa46653c403fdf25

SHA256
3f1ab16fadf89c8da10816bb3084d426c7fc8cc268ffbeda86478c0e683863af

SHA512
ef27036d622c88edd9e025ff1d1cd997f897e416338a7d04d33cdc8cb7f88ed20b3e809b429b0b998211e01804f705d494d50686a8190769794526458512fe92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab73AC.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar741C.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\bgivzdldaodn.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
9.7MB

MD5
a37c5ab3596c1a6432f58fb27a2494f6

SHA1
9d1b6191aa25055956062a83fa46653c403fdf25

SHA256
3f1ab16fadf89c8da10816bb3084d426c7fc8cc268ffbeda86478c0e683863af

SHA512
ef27036d622c88edd9e025ff1d1cd997f897e416338a7d04d33cdc8cb7f88ed20b3e809b429b0b998211e01804f705d494d50686a8190769794526458512fe92

Download Submit
C:\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
9.7MB

MD5
a37c5ab3596c1a6432f58fb27a2494f6

SHA1
9d1b6191aa25055956062a83fa46653c403fdf25

SHA256
3f1ab16fadf89c8da10816bb3084d426c7fc8cc268ffbeda86478c0e683863af

SHA512
ef27036d622c88edd9e025ff1d1cd997f897e416338a7d04d33cdc8cb7f88ed20b3e809b429b0b998211e01804f705d494d50686a8190769794526458512fe92

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
2b19df2da3af86adf584efbddd0d31c0

SHA1
f1738910789e169213611c033d83bc9577373686

SHA256
58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd

SHA512
4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

Download Submit
C:\Windows\TEMP\bgivzdldaodn.xml

Filesize
1KB

MD5
546d67a48ff2bf7682cea9fac07b942e

SHA1
a2cb3a9a97fd935b5e62d4c29b3e2c5ab7d5fc90

SHA256
eff7edc19e6c430aaeca7ea8a77251c74d1e9abb79b183a9ee1f58c2934b4b6a

SHA512
10d90edf31c0955bcec52219d854952fd38768bd97e8e50d32a1237bccaf1a5eb9f824da0f81a7812e0ce62c0464168dd0201d1c0eb61b9fe253fe7c89de05fe

Download Submit
\Program Files\Google\Chrome\updater.exe

Filesize
9.7MB

MD5
a37c5ab3596c1a6432f58fb27a2494f6

SHA1
9d1b6191aa25055956062a83fa46653c403fdf25

SHA256
3f1ab16fadf89c8da10816bb3084d426c7fc8cc268ffbeda86478c0e683863af

SHA512
ef27036d622c88edd9e025ff1d1cd997f897e416338a7d04d33cdc8cb7f88ed20b3e809b429b0b998211e01804f705d494d50686a8190769794526458512fe92

Download Submit
\Users\Admin\AppData\Local\Temp\mi.exe

Filesize
9.7MB

MD5
a37c5ab3596c1a6432f58fb27a2494f6

SHA1
9d1b6191aa25055956062a83fa46653c403fdf25

SHA256
3f1ab16fadf89c8da10816bb3084d426c7fc8cc268ffbeda86478c0e683863af

SHA512
ef27036d622c88edd9e025ff1d1cd997f897e416338a7d04d33cdc8cb7f88ed20b3e809b429b0b998211e01804f705d494d50686a8190769794526458512fe92

Download Submit
memory/1060-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-7-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-51-0x0000000009600000-0x000000000A7DB000-memory.dmp

Filesize
17.9MB

Download
memory/1060-11-0x0000000007340000-0x0000000007380000-memory.dmp

Filesize
256KB

Download
memory/1060-1-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-3-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-56-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1060-5-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1060-10-0x00000000744B0000-0x0000000074B9E000-memory.dmp

Filesize
6.9MB

Download
memory/1060-4-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1752-138-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-130-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-128-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-126-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-124-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-122-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-120-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-118-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-132-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-134-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-116-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-114-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-136-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-140-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-112-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-110-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-142-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-107-0x00000000005A0000-0x00000000005C0000-memory.dmp

Filesize
128KB

Download
memory/1752-144-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1752-146-0x0000000140000000-0x0000000140840000-memory.dmp

Filesize
8.2MB

Download
memory/1756-108-0x0000000077400000-0x00000000775A9000-memory.dmp

Filesize
1.7MB

Download
memory/1756-83-0x000000013F260000-0x000000014043B000-memory.dmp

Filesize
17.9MB

Download
memory/1756-88-0x000000013F260000-0x000000014043B000-memory.dmp

Filesize
17.9MB

Download
memory/1756-81-0x000000013F260000-0x000000014043B000-memory.dmp

Filesize
17.9MB

Download
memory/1756-82-0x0000000077400000-0x00000000775A9000-memory.dmp

Filesize
1.7MB

Download
memory/1756-106-0x000000013F260000-0x000000014043B000-memory.dmp

Filesize
17.9MB

Download
memory/1756-84-0x000000013F260000-0x000000014043B000-memory.dmp

Filesize
17.9MB

Download
memory/1756-85-0x000000013F260000-0x000000014043B000-memory.dmp

Filesize
17.9MB

Download
memory/1756-95-0x0000000077400000-0x00000000775A9000-memory.dmp

Filesize
1.7MB

Download
memory/1756-86-0x000000013F260000-0x000000014043B000-memory.dmp

Filesize
17.9MB

Download
memory/1756-87-0x000000013F260000-0x000000014043B000-memory.dmp

Filesize
17.9MB

Download
memory/1808-109-0x0000000140000000-0x0000000140013000-memory.dmp

Filesize
76KB

Download
memory/2144-59-0x000000013F380000-0x000000014055B000-memory.dmp

Filesize
17.9MB

Download
memory/2144-58-0x000000013F380000-0x000000014055B000-memory.dmp

Filesize
17.9MB

Download
memory/2144-57-0x000000013F380000-0x000000014055B000-memory.dmp

Filesize
17.9MB

Download
memory/2144-55-0x000000013F380000-0x000000014055B000-memory.dmp

Filesize
17.9MB

Download
memory/2144-53-0x000000013F380000-0x000000014055B000-memory.dmp

Filesize
17.9MB

Download
memory/2144-70-0x000000013F380000-0x000000014055B000-memory.dmp

Filesize
17.9MB

Download
memory/2144-54-0x0000000077400000-0x00000000775A9000-memory.dmp

Filesize
1.7MB

Download
memory/2144-52-0x000000013F380000-0x000000014055B000-memory.dmp

Filesize
17.9MB

Download
memory/2144-78-0x0000000077400000-0x00000000775A9000-memory.dmp

Filesize
1.7MB

Download
memory/2144-77-0x000000013F380000-0x000000014055B000-memory.dmp

Filesize
17.9MB

Download
memory/2144-72-0x000000013F380000-0x000000014055B000-memory.dmp

Filesize
17.9MB

Download
memory/2460-97-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-93-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-90-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/2460-91-0x000007FEF5500000-0x000007FEF5E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-92-0x00000000012A0000-0x0000000001320000-memory.dmp

Filesize
512KB

Download
memory/2460-94-0x00000000012A0000-0x0000000001320000-memory.dmp

Filesize
512KB

Download
memory/2460-96-0x00000000012A0000-0x0000000001320000-memory.dmp

Filesize
512KB

Download
memory/2460-89-0x0000000019CC0000-0x0000000019FA2000-memory.dmp

Filesize
2.9MB

Download
memory/2768-64-0x000000001B180000-0x000000001B462000-memory.dmp

Filesize
2.9MB

Download
memory/2768-65-0x0000000002100000-0x0000000002108000-memory.dmp

Filesize
32KB

Download
memory/2768-69-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-66-0x000007FEF55A0000-0x000007FEF5F3D000-memory.dmp

Filesize
9.6MB

Download
memory/2768-67-0x0000000002744000-0x0000000002747000-memory.dmp

Filesize
12KB

Download
memory/2768-68-0x0000000002740000-0x00000000027C0000-memory.dmp

Filesize
512KB

Download