Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
225s -
max time network
297s -
platform
windows10-1703_x64 -
resource
win10-20231215-en -
resource tags
arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system -
submitted
12/02/2024, 04:56
Static task
static1
Behavioral task
behavioral1
Sample
5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe
Resource
win10-20231215-en
General
-
Target
5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe
-
Size
473KB
-
MD5
abfcb597aba704faa71413f1c113981d
-
SHA1
823fc94f17e7981098f15ebcc05b6decc3faf716
-
SHA256
5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b
-
SHA512
899001c907d25acd0fb47457b7ea6366831de5c052ef69635cb8ff391289fdf16074c1e9ebbd770f93877eb904a4bf481f28442f69a96bebc10fcbb00d85b2ec
-
SSDEEP
6144:7DKW1Lgbdl0TBBvjc/CoMKypduBiXa3p5+jDgYHHRo5z9KtmDaimb/u10FcC+FYg:Ph1Lk70TnvjceK+q3p58DnRuzLAAF/BZ
Malware Config
Extracted
redline
LogsDiller Cloud (Telegram: @logsdillabot)
5.42.65.38:46185
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral2/memory/916-10-0x0000000000400000-0x0000000000454000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ filename.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 17 IoCs
resource yara_rule behavioral2/memory/4808-276-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-277-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-279-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-280-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-281-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-282-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-283-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-284-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-285-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-286-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-287-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-288-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-289-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-290-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-291-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-292-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4808-293-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\etc\hosts filename.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Stops running service(s) 3 TTPs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion filename.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion filename.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Executes dropped EXE 2 IoCs
pid Process 3320 filename.exe 3528 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000700000001abf0-30.dat themida behavioral2/memory/3320-35-0x00007FF6E8C10000-0x00007FF6E9963000-memory.dmp themida behavioral2/memory/3320-34-0x00007FF6E8C10000-0x00007FF6E9963000-memory.dmp themida behavioral2/memory/3320-37-0x00007FF6E8C10000-0x00007FF6E9963000-memory.dmp themida behavioral2/memory/3320-38-0x00007FF6E8C10000-0x00007FF6E9963000-memory.dmp themida behavioral2/memory/3320-39-0x00007FF6E8C10000-0x00007FF6E9963000-memory.dmp themida behavioral2/memory/3320-93-0x00007FF6E8C10000-0x00007FF6E9963000-memory.dmp themida behavioral2/memory/3528-97-0x00007FF6CCA30000-0x00007FF6CD783000-memory.dmp themida behavioral2/memory/3528-98-0x00007FF6CCA30000-0x00007FF6CD783000-memory.dmp themida behavioral2/memory/3528-100-0x00007FF6CCA30000-0x00007FF6CD783000-memory.dmp themida behavioral2/memory/3528-101-0x00007FF6CCA30000-0x00007FF6CD783000-memory.dmp themida behavioral2/memory/3528-273-0x00007FF6CCA30000-0x00007FF6CD783000-memory.dmp themida -
resource yara_rule behavioral2/memory/4808-269-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-270-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-271-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-272-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-274-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-276-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-277-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-279-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-280-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-281-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-282-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-283-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-284-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-285-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-286-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-287-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-288-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-289-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-290-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-291-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-292-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4808-293-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA filename.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\system32\MRT.exe filename.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3320 filename.exe 3528 updater.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4040 set thread context of 916 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 74 PID 3528 set thread context of 3644 3528 updater.exe 129 PID 3528 set thread context of 4808 3528 updater.exe 134 -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3792 sc.exe 5004 sc.exe 1596 sc.exe 1800 sc.exe 164 sc.exe 2800 sc.exe 2284 sc.exe 1924 sc.exe 4704 sc.exe 4804 sc.exe 3644 sc.exe 5020 sc.exe 4348 sc.exe 920 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 47 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 916 RegAsm.exe 916 RegAsm.exe 916 RegAsm.exe 3320 filename.exe 4136 powershell.exe 4136 powershell.exe 4136 powershell.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3320 filename.exe 3528 updater.exe 3088 powershell.exe 3088 powershell.exe 3088 powershell.exe 3528 updater.exe 3528 updater.exe 3528 updater.exe 3528 updater.exe 3528 updater.exe 3528 updater.exe 3528 updater.exe 3528 updater.exe 3528 updater.exe 3528 updater.exe 3528 updater.exe 3528 updater.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe 4808 explorer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 604 Process not Found -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeDebugPrivilege 916 RegAsm.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeIncreaseQuotaPrivilege 4136 powershell.exe Token: SeSecurityPrivilege 4136 powershell.exe Token: SeTakeOwnershipPrivilege 4136 powershell.exe Token: SeLoadDriverPrivilege 4136 powershell.exe Token: SeSystemProfilePrivilege 4136 powershell.exe Token: SeSystemtimePrivilege 4136 powershell.exe Token: SeProfSingleProcessPrivilege 4136 powershell.exe Token: SeIncBasePriorityPrivilege 4136 powershell.exe Token: SeCreatePagefilePrivilege 4136 powershell.exe Token: SeBackupPrivilege 4136 powershell.exe Token: SeRestorePrivilege 4136 powershell.exe Token: SeShutdownPrivilege 4136 powershell.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeSystemEnvironmentPrivilege 4136 powershell.exe Token: SeRemoteShutdownPrivilege 4136 powershell.exe Token: SeUndockPrivilege 4136 powershell.exe Token: SeManageVolumePrivilege 4136 powershell.exe Token: 33 4136 powershell.exe Token: 34 4136 powershell.exe Token: 35 4136 powershell.exe Token: 36 4136 powershell.exe Token: SeShutdownPrivilege 3684 powercfg.exe Token: SeCreatePagefilePrivilege 3684 powercfg.exe Token: SeShutdownPrivilege 2096 powercfg.exe Token: SeCreatePagefilePrivilege 2096 powercfg.exe Token: SeShutdownPrivilege 2108 powercfg.exe Token: SeCreatePagefilePrivilege 2108 powercfg.exe Token: SeShutdownPrivilege 1876 powercfg.exe Token: SeCreatePagefilePrivilege 1876 powercfg.exe Token: SeDebugPrivilege 3088 powershell.exe Token: SeAssignPrimaryTokenPrivilege 3088 powershell.exe Token: SeIncreaseQuotaPrivilege 3088 powershell.exe Token: SeSecurityPrivilege 3088 powershell.exe Token: SeTakeOwnershipPrivilege 3088 powershell.exe Token: SeLoadDriverPrivilege 3088 powershell.exe Token: SeSystemtimePrivilege 3088 powershell.exe Token: SeBackupPrivilege 3088 powershell.exe Token: SeRestorePrivilege 3088 powershell.exe Token: SeShutdownPrivilege 3088 powershell.exe Token: SeSystemEnvironmentPrivilege 3088 powershell.exe Token: SeUndockPrivilege 3088 powershell.exe Token: SeManageVolumePrivilege 3088 powershell.exe Token: SeShutdownPrivilege 3768 powercfg.exe Token: SeCreatePagefilePrivilege 3768 powercfg.exe Token: SeShutdownPrivilege 316 powercfg.exe Token: SeCreatePagefilePrivilege 316 powercfg.exe Token: SeShutdownPrivilege 4420 powercfg.exe Token: SeCreatePagefilePrivilege 4420 powercfg.exe Token: SeShutdownPrivilege 4204 powercfg.exe Token: SeCreatePagefilePrivilege 4204 powercfg.exe Token: SeLockMemoryPrivilege 4808 explorer.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4040 wrote to memory of 3636 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 73 PID 4040 wrote to memory of 3636 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 73 PID 4040 wrote to memory of 3636 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 73 PID 4040 wrote to memory of 916 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 74 PID 4040 wrote to memory of 916 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 74 PID 4040 wrote to memory of 916 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 74 PID 4040 wrote to memory of 916 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 74 PID 4040 wrote to memory of 916 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 74 PID 4040 wrote to memory of 916 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 74 PID 4040 wrote to memory of 916 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 74 PID 4040 wrote to memory of 916 4040 5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe 74 PID 916 wrote to memory of 3320 916 RegAsm.exe 76 PID 916 wrote to memory of 3320 916 RegAsm.exe 76 PID 1804 wrote to memory of 2808 1804 cmd.exe 86 PID 1804 wrote to memory of 2808 1804 cmd.exe 86 PID 4720 wrote to memory of 1200 4720 cmd.exe 118 PID 4720 wrote to memory of 1200 4720 cmd.exe 118 PID 3528 wrote to memory of 3644 3528 updater.exe 129 PID 3528 wrote to memory of 3644 3528 updater.exe 129 PID 3528 wrote to memory of 3644 3528 updater.exe 129 PID 3528 wrote to memory of 3644 3528 updater.exe 129 PID 3528 wrote to memory of 3644 3528 updater.exe 129 PID 3528 wrote to memory of 3644 3528 updater.exe 129 PID 3528 wrote to memory of 3644 3528 updater.exe 129 PID 3528 wrote to memory of 3644 3528 updater.exe 129 PID 3528 wrote to memory of 3644 3528 updater.exe 129 PID 3528 wrote to memory of 4808 3528 updater.exe 134 PID 3528 wrote to memory of 4808 3528 updater.exe 134 PID 3528 wrote to memory of 4808 3528 updater.exe 134 PID 3528 wrote to memory of 4808 3528 updater.exe 134 PID 3528 wrote to memory of 4808 3528 updater.exe 134
Processes
-
C:\Users\Admin\AppData\Local\Temp\5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe"C:\Users\Admin\AppData\Local\Temp\5f308a9da30dbe668bd1e2e2f7067e8812d67f14703d4b24c47412bfe23f4a8b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:3636
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Users\Admin\AppData\Local\Temp\filename.exe"C:\Users\Admin\AppData\Local\Temp\filename.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:3320 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:3792
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:2808
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:2800
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:3644
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:5020
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:2284
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:1876
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2108
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:5004
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:4348
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:920
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:1924
-
-
-
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3088
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:1800
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:1200
-
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1596
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:4804
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:4704
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:164
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3768
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4204
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:316
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3644
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
7.9MB
MD5c7360f031893f764c09c12d1a93bb6b3
SHA1ed7645fce92872be3668dd38da104ec0c5648213
SHA2563c1b63ce143c1979f3d963fd3ed0d838bc231c1d2fcb02a965c7230ef94dc899
SHA5126924d9f34c317bd45008446bef35a4ef9da1f985cc213ad32d29d5f1dceaef0b3f73b07eec6d489e561711ff6cbb7e99ea110d345d89f571ad3ca4852381f413
-
Filesize
3KB
MD52d29fd3ae57f422e2b2121141dc82253
SHA1c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA25680a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68