Malware Analysis Report

2024-10-23 21:35

Sample ID 240511-bkf19afc92
Target 2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe
SHA256 2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826
Tags
redline xmrig logsdiller cloud (tg: @logsdillabot) discovery evasion execution infostealer miner persistence spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826

Threat Level: Known bad

The file 2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe was found to be: Known bad.

Malicious Activity Summary

redline xmrig logsdiller cloud (tg: @logsdillabot) discovery evasion execution infostealer miner persistence spyware stealer upx

RedLine

xmrig

RedLine payload

XMRig Miner payload

UPX dump on OEP (original entry point)

Drops file in Drivers directory

Command and Scripting Interpreter: PowerShell

Stops running service(s)

Creates new service(s)

UPX packed file

Reads user/profile data of web browsers

Checks computer location settings

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 01:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 01:11

Reported

2024-05-11 01:14

Platform

win7-20231129-en

Max time kernel

122s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe

"C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 52

Network

N/A

Files

memory/3040-0-0x0000000000030000-0x0000000000031000-memory.dmp

memory/3040-1-0x0000000000030000-0x0000000000031000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 01:11

Reported

2024-05-11 01:14

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

xmrig

miner xmrig

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

XMRig Miner payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Creates new service(s)

persistence execution

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
File created C:\Windows\system32\drivers\etc\hosts C:\ProgramData\Google\Chrome\updater.exe N/A

Stops running service(s)

evasion execution

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\ProgramData\Google\Chrome\updater.exe N/A
File opened for modification C:\Windows\system32\MRT.exe C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fie.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\ProgramData\Google\Chrome\updater.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\powercfg.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4068 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3428 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\fie.exe
PID 3428 wrote to memory of 1748 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Users\Admin\AppData\Local\Temp\fie.exe
PID 1872 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 1872 wrote to memory of 2764 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4628 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4628 wrote to memory of 3300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\wusa.exe
PID 4676 wrote to memory of 2616 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\conhost.exe
PID 4676 wrote to memory of 2616 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\conhost.exe
PID 4676 wrote to memory of 2616 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\conhost.exe
PID 4676 wrote to memory of 2616 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\conhost.exe
PID 4676 wrote to memory of 2616 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\conhost.exe
PID 4676 wrote to memory of 2616 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\conhost.exe
PID 4676 wrote to memory of 2616 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\conhost.exe
PID 4676 wrote to memory of 2616 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\conhost.exe
PID 4676 wrote to memory of 2616 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\system32\conhost.exe
PID 4676 wrote to memory of 2324 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\explorer.exe
PID 4676 wrote to memory of 2324 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\explorer.exe
PID 4676 wrote to memory of 2324 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\explorer.exe
PID 4676 wrote to memory of 2324 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\explorer.exe
PID 4676 wrote to memory of 2324 N/A C:\ProgramData\Google\Chrome\updater.exe C:\Windows\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe

"C:\Users\Admin\AppData\Local\Temp\2b9fa60df2621c7cd698d7d11007f8a04cb6586f495b58f4fd8cc5de5b04f826.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\fie.exe

"C:\Users\Admin\AppData\Local\Temp\fie.exe"

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"

C:\ProgramData\Google\Chrome\updater.exe

C:\ProgramData\Google\Chrome\updater.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
RU 5.42.65.77:6541 tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 77.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 52.183.220.149:443 tcp
US 8.8.8.8:53 udp
N/A 46.28.45.88:443 tcp
N/A 52.183.220.149:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 52.183.220.149:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 stratum-eu.rplant.xyz udp
FR 141.94.192.217:17056 stratum-eu.rplant.xyz tcp
US 8.8.8.8:53 217.192.94.141.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4068-0-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

memory/4068-1-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

memory/4068-3-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

memory/3428-2-0x0000000000400000-0x0000000000452000-memory.dmp

memory/3428-4-0x0000000074B6E000-0x0000000074B6F000-memory.dmp

memory/3428-5-0x00000000055C0000-0x0000000005B64000-memory.dmp

memory/3428-6-0x0000000005010000-0x00000000050A2000-memory.dmp

memory/3428-7-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/3428-8-0x0000000004F80000-0x0000000004F8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp47D6.tmp

MD5 1420d30f964eac2c85b2ccfe968eebce
SHA1 bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256 f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA512 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

memory/3428-25-0x0000000005BF0000-0x0000000005C66000-memory.dmp

memory/3428-26-0x0000000006380000-0x000000000639E000-memory.dmp

memory/3428-29-0x00000000069C0000-0x0000000006FD8000-memory.dmp

memory/3428-30-0x0000000006510000-0x000000000661A000-memory.dmp

memory/3428-31-0x0000000006450000-0x0000000006462000-memory.dmp

memory/3428-32-0x00000000064B0000-0x00000000064EC000-memory.dmp

memory/3428-33-0x0000000006620000-0x000000000666C000-memory.dmp

memory/3428-34-0x0000000006760000-0x00000000067C6000-memory.dmp

memory/3428-37-0x0000000006960000-0x00000000069B0000-memory.dmp

memory/3428-38-0x00000000076B0000-0x0000000007872000-memory.dmp

memory/3428-39-0x0000000007DB0000-0x00000000082DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fie.exe

MD5 6cb5979703a8167390425ceed56f453e
SHA1 2799f0af0cc3c5e9dbc62235505428a1ca8d8204
SHA256 edcb3e44eb0858ef84ed1294d1303074e82b45e341cdf41902c6a9c492bc573e
SHA512 a7e3c9aa158f5e99634ca43e5d01b5777982442d1537c95242591f196bd0e78468edb6d08368b0f05033d963d31326d40f3702b1d0399260cbea05f57d346b42

memory/3428-52-0x0000000074B60000-0x0000000075310000-memory.dmp

memory/1904-53-0x00007FFF0A133000-0x00007FFF0A135000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cpodih3u.vg4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1904-59-0x000001F8B9770000-0x000001F8B9792000-memory.dmp

memory/1904-64-0x00007FFF0A130000-0x00007FFF0ABF1000-memory.dmp

memory/1904-65-0x00007FFF0A130000-0x00007FFF0ABF1000-memory.dmp

memory/1904-68-0x00007FFF0A130000-0x00007FFF0ABF1000-memory.dmp

memory/3132-92-0x000002C356900000-0x000002C3569B5000-memory.dmp

memory/3132-91-0x000002C3568E0000-0x000002C3568FC000-memory.dmp

memory/3132-93-0x000002C3569C0000-0x000002C3569CA000-memory.dmp

memory/3132-94-0x000002C356B30000-0x000002C356B4C000-memory.dmp

memory/3132-95-0x000002C356B10000-0x000002C356B1A000-memory.dmp

memory/3132-98-0x000002C356B50000-0x000002C356B56000-memory.dmp

memory/3132-99-0x000002C356B60000-0x000002C356B6A000-memory.dmp

memory/3132-97-0x000002C356B20000-0x000002C356B28000-memory.dmp

memory/3132-96-0x000002C356B70000-0x000002C356B8A000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 2d29fd3ae57f422e2b2121141dc82253
SHA1 c2464c857779c0ab4f5e766f5028fcc651a6c6b7
SHA256 80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4
SHA512 077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

memory/2616-108-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2616-111-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2324-114-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-115-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-119-0x0000000000C00000-0x0000000000C20000-memory.dmp

memory/2324-118-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-117-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-123-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-122-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-121-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-120-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-116-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-113-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-124-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-112-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2616-107-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2616-106-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2616-105-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2616-104-0x0000000140000000-0x000000014000E000-memory.dmp

memory/2324-125-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-126-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-128-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-127-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-129-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-130-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-132-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-131-0x0000000140000000-0x0000000140848000-memory.dmp

memory/2324-133-0x0000000140000000-0x0000000140848000-memory.dmp