redline | bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6

Analysis

max time kernel
149s
max time network
137s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Size

95KB
MD5

735c15c37831cdc319c03f4f7971da49
SHA1

166949cdb534d97c564adc27f297406a4bf38204
SHA256

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6
SHA512

3c9227b9472d7840f74363b9801756923de56fcff5349f6e287206531c0da4717a9de520322d122bef30f7b66fdbeaac715ebbe64389de89b1c7d5e832e87ac8
SSDEEP

1536:9qskXqrzWBlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2OtmulgS6pY:rCgzWHY3+zi0ZbYe1g0ujyzd6Y

Score

10^/10

redline sectoprat xmrig exodus discovery evasion execution infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

exodus

94.156.8.229:1334

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2408-1-0x0000000001090000-0x00000000010AE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2408-1-0x0000000001090000-0x00000000010AE000-memory.dmp	family_sectoprat

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2408-1-0x0000000001090000-0x00000000010AE000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

UPX dump on OEP (original entry point) 17 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2636-174-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-177-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-175-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-179-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-178-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-176-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-181-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-185-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-184-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-183-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-182-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-186-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-187-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-188-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-189-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-190-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral1/memory/2636-191-0x0000000140000000-0x0000000140848000-memory.dmp	UPX

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2636-179-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-178-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-181-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-185-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-184-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-183-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-182-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-186-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-187-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-188-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-189-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-190-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2636-191-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2284 powershell.exe
2332 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

east.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts east.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

east.exeupdater.exe

pid process

1556 east.exe
472
2336 updater.exe

pid	process
2284	powershell.exe
2332	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	east.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

pid	process
1556	east.exe
472
2336	updater.exe

Loads dropped DLL 3 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe

pid	process
2408	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
2408	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
472

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2636-174-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-177-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-175-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-179-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-178-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-176-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-173-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-181-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-185-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-184-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-183-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-182-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-186-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-187-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-188-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-189-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-190-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2636-191-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

powershell.exeupdater.exepowershell.exeeast.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	east.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 2336 set thread context of 2068	2336	updater.exe	conhost.exe
PID 2336 set thread context of 2636	2336	updater.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

wusa.exewusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

944 sc.exe
876 sc.exe
1764 sc.exe
2176 sc.exe
2044 sc.exe
2108 sc.exe
2304 sc.exe
1152 sc.exe
2936 sc.exe
2204 sc.exe
572 sc.exe
1596 sc.exe
1932 sc.exe
1612 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

pid	process
944	sc.exe
876	sc.exe
1764	sc.exe
2176	sc.exe
2044	sc.exe
2108	sc.exe
2304	sc.exe
1152	sc.exe
2936	sc.exe
2204	sc.exe
572	sc.exe
1596	sc.exe
1932	sc.exe
1612	sc.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = a04e06bc9fa5da01	powershell.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exeeast.exepowershell.exeupdater.exepowershell.exeexplorer.exe

pid	process
2408	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
2408	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
1556	east.exe
2284	powershell.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
1556	east.exe
2336	updater.exe
2332	powershell.exe
2336	updater.exe
2336	updater.exe
2336	updater.exe
2336	updater.exe
2336	updater.exe
2336	updater.exe
2336	updater.exe
2336	updater.exe
2336	updater.exe
2336	updater.exe
2336	updater.exe
2336	updater.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe
2636	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2408	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeShutdownPrivilege	2268	powercfg.exe
Token: SeShutdownPrivilege	2368	powercfg.exe
Token: SeShutdownPrivilege	2340	powercfg.exe
Token: SeShutdownPrivilege	2392	powercfg.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeShutdownPrivilege	3064	powercfg.exe
Token: SeShutdownPrivilege	1820	powercfg.exe
Token: SeShutdownPrivilege	2824	powercfg.exe
Token: SeShutdownPrivilege	2016	powercfg.exe
Token: SeLockMemoryPrivilege	2636	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.execmd.execmd.exeupdater.exe

description	pid	process	target process
PID 2408 wrote to memory of 1556	2408	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe	east.exe
PID 2408 wrote to memory of 1556	2408	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe	east.exe
PID 2408 wrote to memory of 1556	2408	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe	east.exe
PID 2408 wrote to memory of 1556	2408	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe	east.exe
PID 2076 wrote to memory of 1480	2076	cmd.exe	wusa.exe
PID 2076 wrote to memory of 1480	2076	cmd.exe	wusa.exe
PID 2076 wrote to memory of 1480	2076	cmd.exe	wusa.exe
PID 2272 wrote to memory of 2888	2272	cmd.exe	wusa.exe
PID 2272 wrote to memory of 2888	2272	cmd.exe	wusa.exe
PID 2272 wrote to memory of 2888	2272	cmd.exe	wusa.exe
PID 2336 wrote to memory of 2068	2336	updater.exe	conhost.exe
PID 2336 wrote to memory of 2068	2336	updater.exe	conhost.exe
PID 2336 wrote to memory of 2068	2336	updater.exe	conhost.exe
PID 2336 wrote to memory of 2068	2336	updater.exe	conhost.exe
PID 2336 wrote to memory of 2068	2336	updater.exe	conhost.exe
PID 2336 wrote to memory of 2068	2336	updater.exe	conhost.exe
PID 2336 wrote to memory of 2068	2336	updater.exe	conhost.exe
PID 2336 wrote to memory of 2068	2336	updater.exe	conhost.exe
PID 2336 wrote to memory of 2068	2336	updater.exe	conhost.exe
PID 2336 wrote to memory of 2636	2336	updater.exe	explorer.exe
PID 2336 wrote to memory of 2636	2336	updater.exe	explorer.exe
PID 2336 wrote to memory of 2636	2336	updater.exe	explorer.exe
PID 2336 wrote to memory of 2636	2336	updater.exe	explorer.exe
PID 2336 wrote to memory of 2636	2336	updater.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
"C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Local\Temp\east.exe
"C:\Users\Admin\AppData\Local\Temp\east.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:2076

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:1480

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:572

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:944

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:2304

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:1152

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:876

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2340

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2392

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
3⤵
- Launches sc.exe
PID:1764

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
3⤵
- Launches sc.exe
PID:1596

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1932

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
3⤵
- Launches sc.exe
PID:1612

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:2272

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:2888

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:2936

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2176

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:2044

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:2204

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:2108

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2068

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
83a25d913b9e63ea02a7b5c6bdae4f71

SHA1
47e3ef11e376fb6d0df4254316c6564b3efbd579

SHA256
6284f9b5fe7220791f7e0b64ebd8d1216e14e02c96a81a476ce6182f26e1b099

SHA512
66f70ab17116d555b3668c34e715a9e0aa6c9944b52577b14c279111183652528fa515e4562f93bbadbca3b57701991f8de692fa515a1a5c974013ba12021905

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3B8C.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3FC3.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46C1.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp46E6.tmp
Filesize
92KB

MD5
d45b32a69554239e2df99241a8bde05f

SHA1
badc4c0d437a578947a744fd57e0189639609c1f

SHA256
a5b5c18640f9de53293b9914874824490b65522e1c8d91b2b0abfcd09719747c

SHA512
406b39c28e134fa6161e7efd777091a11af55a473e4a0d71f7733632337483d36801bd828879a593d45ddd2769a1d1aef3e7e7b1b7583104481bd9168496fe50

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
\Users\Admin\AppData\Local\Temp\east.exe
Filesize
5.1MB

MD5
53fc8153edf492734d97158afd8644a5

SHA1
682296b14eddb32ccadaaecc098b497539393b94

SHA256
0cbef477e60c59c62f64fe6760ebcf4325c479a957a5622a66feabb0cf50befc

SHA512
bda8742db17f89534e2c8a3c53a14d31cb52179cfe06bf24114690046eae42ccb67394e054eb4a53df28b0e0ff5a7ebeb2d23c809b7d40579d988a695c3981eb

Download Submit
memory/2068-166-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2068-164-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2068-167-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2068-171-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2068-165-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2068-168-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2284-153-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2284-152-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2332-161-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/2332-160-0x0000000019EB0000-0x000000001A192000-memory.dmp

Filesize
2.9MB

Download
memory/2408-1-0x0000000001090000-0x00000000010AE000-memory.dmp

Filesize
120KB

Download
memory/2408-2-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2408-147-0x0000000074DF0000-0x00000000754DE000-memory.dmp

Filesize
6.9MB

Download
memory/2408-0-0x0000000074DFE000-0x0000000074DFF000-memory.dmp

Filesize
4KB

Download
memory/2636-174-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-175-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-179-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-178-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-176-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-180-0x00000000000B0000-0x00000000000D0000-memory.dmp

Filesize
128KB

Download
memory/2636-173-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-177-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-181-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-185-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-184-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-183-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-182-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-186-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-187-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-188-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-189-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-190-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2636-191-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download