Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 01:39
General
-
Target
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
-
Size
95KB
-
MD5
735c15c37831cdc319c03f4f7971da49
-
SHA1
166949cdb534d97c564adc27f297406a4bf38204
-
SHA256
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6
-
SHA512
3c9227b9472d7840f74363b9801756923de56fcff5349f6e287206531c0da4717a9de520322d122bef30f7b66fdbeaac715ebbe64389de89b1c7d5e832e87ac8
-
SSDEEP
1536:9qskXqrzWBlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2OtmulgS6pY:rCgzWHY3+zi0ZbYe1g0ujyzd6Y
Malware Config
Extracted
redline
exodus
94.156.8.229:1334
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2408-1-0x0000000001090000-0x00000000010AE000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2408-1-0x0000000001090000-0x00000000010AE000-memory.dmp family_sectoprat -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2408-1-0x0000000001090000-0x00000000010AE000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
UPX dump on OEP (original entry point) 17 IoCs
Processes:
resource yara_rule behavioral1/memory/2636-174-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-177-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-175-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-179-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-178-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-176-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-181-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-185-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-184-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-183-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-182-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-186-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-187-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-188-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-189-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-190-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral1/memory/2636-191-0x0000000140000000-0x0000000140848000-memory.dmp UPX -
XMRig Miner payload 13 IoCs
Processes:
resource yara_rule behavioral1/memory/2636-179-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-178-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-181-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-185-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-184-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-183-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-182-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-186-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-187-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-188-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-189-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-190-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral1/memory/2636-191-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2284 powershell.exe 2332 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
east.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts east.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Executes dropped EXE 3 IoCs
Processes:
east.exeupdater.exepid process 1556 east.exe 472 2336 updater.exe -
Loads dropped DLL 3 IoCs
Processes:
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exepid process 2408 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe 2408 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe 472 -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral1/memory/2636-174-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-177-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-175-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-179-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-178-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-176-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-173-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-181-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-185-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-184-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-183-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-182-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-186-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-187-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-188-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-189-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-190-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral1/memory/2636-191-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
Processes:
powershell.exeupdater.exepowershell.exeeast.exedescription ioc process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\system32\MRT.exe east.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 2336 set thread context of 2068 2336 updater.exe conhost.exe PID 2336 set thread context of 2636 2336 updater.exe explorer.exe -
Drops file in Windows directory 2 IoCs
Processes:
wusa.exewusa.exedescription ioc process File created C:\Windows\wusa.lock wusa.exe File created C:\Windows\wusa.lock wusa.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 944 sc.exe 876 sc.exe 1764 sc.exe 2176 sc.exe 2044 sc.exe 2108 sc.exe 2304 sc.exe 1152 sc.exe 2936 sc.exe 2204 sc.exe 572 sc.exe 1596 sc.exe 1932 sc.exe 1612 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 2 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a04e06bc9fa5da01 powershell.exe -
Processes:
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exeeast.exepowershell.exeupdater.exepowershell.exeexplorer.exepid process 2408 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe 2408 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe 1556 east.exe 2284 powershell.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 1556 east.exe 2336 updater.exe 2332 powershell.exe 2336 updater.exe 2336 updater.exe 2336 updater.exe 2336 updater.exe 2336 updater.exe 2336 updater.exe 2336 updater.exe 2336 updater.exe 2336 updater.exe 2336 updater.exe 2336 updater.exe 2336 updater.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe 2636 explorer.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 2408 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe Token: SeDebugPrivilege 2284 powershell.exe Token: SeShutdownPrivilege 2268 powercfg.exe Token: SeShutdownPrivilege 2368 powercfg.exe Token: SeShutdownPrivilege 2340 powercfg.exe Token: SeShutdownPrivilege 2392 powercfg.exe Token: SeDebugPrivilege 2332 powershell.exe Token: SeShutdownPrivilege 3064 powercfg.exe Token: SeShutdownPrivilege 1820 powercfg.exe Token: SeShutdownPrivilege 2824 powercfg.exe Token: SeShutdownPrivilege 2016 powercfg.exe Token: SeLockMemoryPrivilege 2636 explorer.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.execmd.execmd.exeupdater.exedescription pid process target process PID 2408 wrote to memory of 1556 2408 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe east.exe PID 2408 wrote to memory of 1556 2408 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe east.exe PID 2408 wrote to memory of 1556 2408 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe east.exe PID 2408 wrote to memory of 1556 2408 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe east.exe PID 2076 wrote to memory of 1480 2076 cmd.exe wusa.exe PID 2076 wrote to memory of 1480 2076 cmd.exe wusa.exe PID 2076 wrote to memory of 1480 2076 cmd.exe wusa.exe PID 2272 wrote to memory of 2888 2272 cmd.exe wusa.exe PID 2272 wrote to memory of 2888 2272 cmd.exe wusa.exe PID 2272 wrote to memory of 2888 2272 cmd.exe wusa.exe PID 2336 wrote to memory of 2068 2336 updater.exe conhost.exe PID 2336 wrote to memory of 2068 2336 updater.exe conhost.exe PID 2336 wrote to memory of 2068 2336 updater.exe conhost.exe PID 2336 wrote to memory of 2068 2336 updater.exe conhost.exe PID 2336 wrote to memory of 2068 2336 updater.exe conhost.exe PID 2336 wrote to memory of 2068 2336 updater.exe conhost.exe PID 2336 wrote to memory of 2068 2336 updater.exe conhost.exe PID 2336 wrote to memory of 2068 2336 updater.exe conhost.exe PID 2336 wrote to memory of 2068 2336 updater.exe conhost.exe PID 2336 wrote to memory of 2636 2336 updater.exe explorer.exe PID 2336 wrote to memory of 2636 2336 updater.exe explorer.exe PID 2336 wrote to memory of 2636 2336 updater.exe explorer.exe PID 2336 wrote to memory of 2636 2336 updater.exe explorer.exe PID 2336 wrote to memory of 2636 2336 updater.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe"C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\east.exe"C:\Users\Admin\AppData\Local\Temp\east.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"3⤵
- Launches sc.exe
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
- Drops file in Windows directory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
344B
MD583a25d913b9e63ea02a7b5c6bdae4f71
SHA147e3ef11e376fb6d0df4254316c6564b3efbd579
SHA2566284f9b5fe7220791f7e0b64ebd8d1216e14e02c96a81a476ce6182f26e1b099
SHA51266f70ab17116d555b3668c34e715a9e0aa6c9944b52577b14c279111183652528fa515e4562f93bbadbca3b57701991f8de692fa515a1a5c974013ba12021905
-
C:\Users\Admin\AppData\Local\Temp\Cab3B8C.tmpFilesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
C:\Users\Admin\AppData\Local\Temp\Tar3FC3.tmpFilesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
C:\Users\Admin\AppData\Local\Temp\tmp46C1.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmp46E6.tmpFilesize
92KB
MD5d45b32a69554239e2df99241a8bde05f
SHA1badc4c0d437a578947a744fd57e0189639609c1f
SHA256a5b5c18640f9de53293b9914874824490b65522e1c8d91b2b0abfcd09719747c
SHA512406b39c28e134fa6161e7efd777091a11af55a473e4a0d71f7733632337483d36801bd828879a593d45ddd2769a1d1aef3e7e7b1b7583104481bd9168496fe50
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD53e9af076957c5b2f9c9ce5ec994bea05
SHA1a8c7326f6bceffaeed1c2bb8d7165e56497965fe
SHA256e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e
SHA512933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f
-
\Users\Admin\AppData\Local\Temp\east.exeFilesize
5.1MB
MD553fc8153edf492734d97158afd8644a5
SHA1682296b14eddb32ccadaaecc098b497539393b94
SHA2560cbef477e60c59c62f64fe6760ebcf4325c479a957a5622a66feabb0cf50befc
SHA512bda8742db17f89534e2c8a3c53a14d31cb52179cfe06bf24114690046eae42ccb67394e054eb4a53df28b0e0ff5a7ebeb2d23c809b7d40579d988a695c3981eb
-
memory/2068-166-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2068-164-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2068-167-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2068-171-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2068-165-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2068-168-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/2284-153-0x0000000002720000-0x0000000002728000-memory.dmpFilesize
32KB
-
memory/2284-152-0x000000001B4F0000-0x000000001B7D2000-memory.dmpFilesize
2.9MB
-
memory/2332-161-0x0000000000950000-0x0000000000958000-memory.dmpFilesize
32KB
-
memory/2332-160-0x0000000019EB0000-0x000000001A192000-memory.dmpFilesize
2.9MB
-
memory/2408-1-0x0000000001090000-0x00000000010AE000-memory.dmpFilesize
120KB
-
memory/2408-2-0x0000000074DF0000-0x00000000754DE000-memory.dmpFilesize
6.9MB
-
memory/2408-147-0x0000000074DF0000-0x00000000754DE000-memory.dmpFilesize
6.9MB
-
memory/2408-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmpFilesize
4KB
-
memory/2636-174-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-175-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-179-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-178-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-176-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-180-0x00000000000B0000-0x00000000000D0000-memory.dmpFilesize
128KB
-
memory/2636-173-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-177-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-181-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-185-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-184-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-183-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-182-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-186-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-187-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-188-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-189-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-190-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/2636-191-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB