Analysis
-
max time kernel
252s -
max time network
293s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-05-2024 23:06
Static task
static1
Behavioral task
behavioral1
Sample
75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe
Resource
win10-20240404-en
General
-
Target
75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe
-
Size
527KB
-
MD5
144e3fc197d288b006018a06681636eb
-
SHA1
82bc88c1799ade03d1dcecb8b13653c0aa90f475
-
SHA256
75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce
-
SHA512
def371308bbde6c659c4b72a5d144bb9149931ec985ae2ccfe68cbb7acc6d15446cb917e4799908dfa4b65dae77a01980c5f52e6f80a3d39586039827d03cb40
-
SSDEEP
12288:vJYO+vkfgJbreygSCTUPAKRccEedsTm0eynOpWcDMvH0Xp:vJYmfgdRwedsTTPnfcDMvU
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.77:6541
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/5088-1-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
fie.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fie.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 16 IoCs
Processes:
resource yara_rule behavioral2/memory/4396-273-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-274-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-275-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-276-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-270-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-269-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-278-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-279-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-280-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-281-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-282-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-283-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-284-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-286-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-285-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4396-287-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 4136 powershell.exe 2460 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
fie.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts fie.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fie.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fie.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fie.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Executes dropped EXE 2 IoCs
Processes:
fie.exeupdater.exepid process 1440 fie.exe 3572 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\fie.exe themida behavioral2/memory/1440-43-0x00007FF7F5F20000-0x00007FF7F6CE7000-memory.dmp themida behavioral2/memory/1440-44-0x00007FF7F5F20000-0x00007FF7F6CE7000-memory.dmp themida behavioral2/memory/1440-45-0x00007FF7F5F20000-0x00007FF7F6CE7000-memory.dmp themida behavioral2/memory/1440-46-0x00007FF7F5F20000-0x00007FF7F6CE7000-memory.dmp themida behavioral2/memory/1440-47-0x00007FF7F5F20000-0x00007FF7F6CE7000-memory.dmp themida behavioral2/memory/1440-96-0x00007FF7F5F20000-0x00007FF7F6CE7000-memory.dmp themida behavioral2/memory/3572-99-0x00007FF6D7ED0000-0x00007FF6D8C97000-memory.dmp themida behavioral2/memory/3572-100-0x00007FF6D7ED0000-0x00007FF6D8C97000-memory.dmp themida behavioral2/memory/3572-101-0x00007FF6D7ED0000-0x00007FF6D8C97000-memory.dmp themida behavioral2/memory/3572-102-0x00007FF6D7ED0000-0x00007FF6D8C97000-memory.dmp themida behavioral2/memory/3572-277-0x00007FF6D7ED0000-0x00007FF6D8C97000-memory.dmp themida -
Processes:
resource yara_rule behavioral2/memory/4396-265-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-264-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-267-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-268-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-273-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-274-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-275-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-276-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-270-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-269-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-278-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-266-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-279-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-280-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-281-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-282-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-283-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-284-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-286-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-285-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4396-287-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
fie.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fie.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 4 IoCs
Processes:
powershell.exeupdater.exefie.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe File opened for modification C:\Windows\system32\MRT.exe fie.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
fie.exeupdater.exepid process 1440 fie.exe 3572 updater.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exeupdater.exedescription pid process target process PID 2272 set thread context of 5088 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 3572 set thread context of 2124 3572 updater.exe conhost.exe PID 3572 set thread context of 4396 3572 updater.exe explorer.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 508 sc.exe 2212 sc.exe 1120 sc.exe 1212 sc.exe 2208 sc.exe 376 sc.exe 428 sc.exe 4112 sc.exe 508 sc.exe 2736 sc.exe 5020 sc.exe 812 sc.exe 1644 sc.exe 1780 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 47 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegAsm.exefie.exepowershell.exeupdater.exepowershell.exeexplorer.exepid process 5088 RegAsm.exe 5088 RegAsm.exe 5088 RegAsm.exe 1440 fie.exe 4136 powershell.exe 4136 powershell.exe 4136 powershell.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 1440 fie.exe 3572 updater.exe 2460 powershell.exe 2460 powershell.exe 2460 powershell.exe 3572 updater.exe 3572 updater.exe 3572 updater.exe 3572 updater.exe 3572 updater.exe 3572 updater.exe 3572 updater.exe 3572 updater.exe 3572 updater.exe 3572 updater.exe 3572 updater.exe 3572 updater.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe 4396 explorer.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
RegAsm.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 5088 RegAsm.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeIncreaseQuotaPrivilege 4136 powershell.exe Token: SeSecurityPrivilege 4136 powershell.exe Token: SeTakeOwnershipPrivilege 4136 powershell.exe Token: SeLoadDriverPrivilege 4136 powershell.exe Token: SeSystemProfilePrivilege 4136 powershell.exe Token: SeSystemtimePrivilege 4136 powershell.exe Token: SeProfSingleProcessPrivilege 4136 powershell.exe Token: SeIncBasePriorityPrivilege 4136 powershell.exe Token: SeCreatePagefilePrivilege 4136 powershell.exe Token: SeBackupPrivilege 4136 powershell.exe Token: SeRestorePrivilege 4136 powershell.exe Token: SeShutdownPrivilege 4136 powershell.exe Token: SeDebugPrivilege 4136 powershell.exe Token: SeSystemEnvironmentPrivilege 4136 powershell.exe Token: SeRemoteShutdownPrivilege 4136 powershell.exe Token: SeUndockPrivilege 4136 powershell.exe Token: SeManageVolumePrivilege 4136 powershell.exe Token: 33 4136 powershell.exe Token: 34 4136 powershell.exe Token: 35 4136 powershell.exe Token: 36 4136 powershell.exe Token: SeShutdownPrivilege 3220 powercfg.exe Token: SeCreatePagefilePrivilege 3220 powercfg.exe Token: SeShutdownPrivilege 2496 powercfg.exe Token: SeCreatePagefilePrivilege 2496 powercfg.exe Token: SeShutdownPrivilege 2856 powercfg.exe Token: SeCreatePagefilePrivilege 2856 powercfg.exe Token: SeShutdownPrivilege 4976 powercfg.exe Token: SeCreatePagefilePrivilege 4976 powercfg.exe Token: SeDebugPrivilege 2460 powershell.exe Token: SeAssignPrimaryTokenPrivilege 2460 powershell.exe Token: SeIncreaseQuotaPrivilege 2460 powershell.exe Token: SeSecurityPrivilege 2460 powershell.exe Token: SeTakeOwnershipPrivilege 2460 powershell.exe Token: SeLoadDriverPrivilege 2460 powershell.exe Token: SeSystemtimePrivilege 2460 powershell.exe Token: SeBackupPrivilege 2460 powershell.exe Token: SeRestorePrivilege 2460 powershell.exe Token: SeShutdownPrivilege 2460 powershell.exe Token: SeSystemEnvironmentPrivilege 2460 powershell.exe Token: SeUndockPrivilege 2460 powershell.exe Token: SeManageVolumePrivilege 2460 powershell.exe Token: SeShutdownPrivilege 4476 powercfg.exe Token: SeCreatePagefilePrivilege 4476 powercfg.exe Token: SeShutdownPrivilege 4216 powercfg.exe Token: SeCreatePagefilePrivilege 4216 powercfg.exe Token: SeShutdownPrivilege 2444 powercfg.exe Token: SeCreatePagefilePrivilege 2444 powercfg.exe Token: SeShutdownPrivilege 3568 powercfg.exe Token: SeCreatePagefilePrivilege 3568 powercfg.exe Token: SeLockMemoryPrivilege 4396 explorer.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exeRegAsm.execmd.execmd.exeupdater.exedescription pid process target process PID 2272 wrote to memory of 5036 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 2272 wrote to memory of 5036 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 2272 wrote to memory of 5036 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 2272 wrote to memory of 5088 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 2272 wrote to memory of 5088 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 2272 wrote to memory of 5088 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 2272 wrote to memory of 5088 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 2272 wrote to memory of 5088 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 2272 wrote to memory of 5088 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 2272 wrote to memory of 5088 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 2272 wrote to memory of 5088 2272 75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe RegAsm.exe PID 5088 wrote to memory of 1440 5088 RegAsm.exe fie.exe PID 5088 wrote to memory of 1440 5088 RegAsm.exe fie.exe PID 3936 wrote to memory of 2712 3936 cmd.exe wusa.exe PID 3936 wrote to memory of 2712 3936 cmd.exe wusa.exe PID 5012 wrote to memory of 556 5012 cmd.exe wusa.exe PID 5012 wrote to memory of 556 5012 cmd.exe wusa.exe PID 3572 wrote to memory of 2124 3572 updater.exe conhost.exe PID 3572 wrote to memory of 2124 3572 updater.exe conhost.exe PID 3572 wrote to memory of 2124 3572 updater.exe conhost.exe PID 3572 wrote to memory of 2124 3572 updater.exe conhost.exe PID 3572 wrote to memory of 2124 3572 updater.exe conhost.exe PID 3572 wrote to memory of 2124 3572 updater.exe conhost.exe PID 3572 wrote to memory of 2124 3572 updater.exe conhost.exe PID 3572 wrote to memory of 2124 3572 updater.exe conhost.exe PID 3572 wrote to memory of 2124 3572 updater.exe conhost.exe PID 3572 wrote to memory of 4396 3572 updater.exe explorer.exe PID 3572 wrote to memory of 4396 3572 updater.exe explorer.exe PID 3572 wrote to memory of 4396 3572 updater.exe explorer.exe PID 3572 wrote to memory of 4396 3572 updater.exe explorer.exe PID 3572 wrote to memory of 4396 3572 updater.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe"C:\Users\Admin\AppData\Local\Temp\75997a0972431bc5e7a704b53cd1a000bf6f1f51c31f2ef32b3af38f120ccfce.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵PID:5036
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Users\Admin\AppData\Local\Temp\fie.exe"C:\Users\Admin\AppData\Local\Temp\fie.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1440 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4136 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:2712
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:2208 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:508 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:2212 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:1120 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:2736 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:3220 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2496 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:376 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:812 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:428 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:1212
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:556
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:5020 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:1780 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:1644 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:508 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:4112 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4476 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:4216 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:3568 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:2124
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4396
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Defense Evasion
Impair Defenses
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
8.2MB
MD55675a5779f4de4ba3ce58a309a7c0086
SHA1dee6fc30051586b405ae85bf7d14bf110440184d
SHA256cb4b754377f21d469f0b766ca65c1db7c6e6e84b897292b02b3eba27a9f9f90d
SHA5126a32c56abd4d05ade7a4756e487c255cc3728eaaeac9cc94d609372eb951c54c89f343e87eede51d374b48746ca042ef050bc575d178497ca47abe05090b8465
-
Filesize
2KB
MD52b19df2da3af86adf584efbddd0d31c0
SHA1f1738910789e169213611c033d83bc9577373686
SHA25658868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA5124a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6