Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-05-2024 01:39
General
-
Target
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
-
Size
95KB
-
MD5
735c15c37831cdc319c03f4f7971da49
-
SHA1
166949cdb534d97c564adc27f297406a4bf38204
-
SHA256
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6
-
SHA512
3c9227b9472d7840f74363b9801756923de56fcff5349f6e287206531c0da4717a9de520322d122bef30f7b66fdbeaac715ebbe64389de89b1c7d5e832e87ac8
-
SSDEEP
1536:9qskXqrzWBlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2OtmulgS6pY:rCgzWHY3+zi0ZbYe1g0ujyzd6Y
Malware Config
Extracted
redline
exodus
94.156.8.229:1334
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/220-1-0x00000000004F0000-0x000000000050E000-memory.dmp family_redline -
SectopRAT payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/220-1-0x00000000004F0000-0x000000000050E000-memory.dmp family_sectoprat -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/220-1-0x00000000004F0000-0x000000000050E000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
UPX dump on OEP (original entry point) 17 IoCs
Processes:
resource yara_rule behavioral2/memory/4412-235-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-238-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-240-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-242-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-243-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-245-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-246-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-244-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-239-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-237-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-236-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-247-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-248-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-249-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-250-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-251-0x0000000140000000-0x0000000140848000-memory.dmp UPX behavioral2/memory/4412-252-0x0000000140000000-0x0000000140848000-memory.dmp UPX -
XMRig Miner payload 13 IoCs
Processes:
resource yara_rule behavioral2/memory/4412-240-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-242-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-243-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-245-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-246-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-244-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-239-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-247-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-248-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-249-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-250-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-251-0x0000000140000000-0x0000000140848000-memory.dmp xmrig behavioral2/memory/4412-252-0x0000000140000000-0x0000000140848000-memory.dmp xmrig -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 1340 powershell.exe 2168 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
east.exeupdater.exedescription ioc process File created C:\Windows\system32\drivers\etc\hosts east.exe File created C:\Windows\system32\drivers\etc\hosts updater.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe -
Executes dropped EXE 2 IoCs
Processes:
east.exeupdater.exepid process 2056 east.exe 3036 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/4412-234-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-235-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-238-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-240-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-242-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-243-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-245-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-246-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-244-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-239-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-237-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-236-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-247-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-248-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-249-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-250-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-251-0x0000000140000000-0x0000000140848000-memory.dmp upx behavioral2/memory/4412-252-0x0000000140000000-0x0000000140848000-memory.dmp upx -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 4 IoCs
Processes:
powershell.exeupdater.exeeast.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\MRT.exe updater.exe File opened for modification C:\Windows\system32\MRT.exe east.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
updater.exedescription pid process target process PID 3036 set thread context of 4172 3036 updater.exe conhost.exe PID 3036 set thread context of 4412 3036 updater.exe explorer.exe -
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 4948 sc.exe 4860 sc.exe 3536 sc.exe 540 sc.exe 436 sc.exe 2196 sc.exe 3828 sc.exe 1712 sc.exe 224 sc.exe 1980 sc.exe 884 sc.exe 2320 sc.exe 3960 sc.exe 4108 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies data under HKEY_USERS 46 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exeeast.exepowershell.exeupdater.exepowershell.exeexplorer.exepid process 220 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe 220 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe 2056 east.exe 1340 powershell.exe 1340 powershell.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 2056 east.exe 3036 updater.exe 2168 powershell.exe 2168 powershell.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 3036 updater.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe 4412 explorer.exe -
Suspicious use of AdjustPrivilegeToken 20 IoCs
Processes:
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exedescription pid process Token: SeDebugPrivilege 220 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe Token: SeDebugPrivilege 1340 powershell.exe Token: SeShutdownPrivilege 4516 powercfg.exe Token: SeCreatePagefilePrivilege 4516 powercfg.exe Token: SeShutdownPrivilege 2632 powercfg.exe Token: SeCreatePagefilePrivilege 2632 powercfg.exe Token: SeShutdownPrivilege 1232 powercfg.exe Token: SeCreatePagefilePrivilege 1232 powercfg.exe Token: SeShutdownPrivilege 3652 powercfg.exe Token: SeCreatePagefilePrivilege 3652 powercfg.exe Token: SeDebugPrivilege 2168 powershell.exe Token: SeShutdownPrivilege 4364 powercfg.exe Token: SeCreatePagefilePrivilege 4364 powercfg.exe Token: SeShutdownPrivilege 2400 powercfg.exe Token: SeCreatePagefilePrivilege 2400 powercfg.exe Token: SeShutdownPrivilege 2528 powercfg.exe Token: SeCreatePagefilePrivilege 2528 powercfg.exe Token: SeShutdownPrivilege 3132 powercfg.exe Token: SeCreatePagefilePrivilege 3132 powercfg.exe Token: SeLockMemoryPrivilege 4412 explorer.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.execmd.execmd.exeupdater.exedescription pid process target process PID 220 wrote to memory of 2056 220 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe east.exe PID 220 wrote to memory of 2056 220 bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe east.exe PID 3952 wrote to memory of 4488 3952 cmd.exe wusa.exe PID 3952 wrote to memory of 4488 3952 cmd.exe wusa.exe PID 2848 wrote to memory of 5028 2848 cmd.exe wusa.exe PID 2848 wrote to memory of 5028 2848 cmd.exe wusa.exe PID 3036 wrote to memory of 4172 3036 updater.exe conhost.exe PID 3036 wrote to memory of 4172 3036 updater.exe conhost.exe PID 3036 wrote to memory of 4172 3036 updater.exe conhost.exe PID 3036 wrote to memory of 4172 3036 updater.exe conhost.exe PID 3036 wrote to memory of 4172 3036 updater.exe conhost.exe PID 3036 wrote to memory of 4172 3036 updater.exe conhost.exe PID 3036 wrote to memory of 4172 3036 updater.exe conhost.exe PID 3036 wrote to memory of 4172 3036 updater.exe conhost.exe PID 3036 wrote to memory of 4172 3036 updater.exe conhost.exe PID 3036 wrote to memory of 4412 3036 updater.exe explorer.exe PID 3036 wrote to memory of 4412 3036 updater.exe explorer.exe PID 3036 wrote to memory of 4412 3036 updater.exe explorer.exe PID 3036 wrote to memory of 4412 3036 updater.exe explorer.exe PID 3036 wrote to memory of 4412 3036 updater.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe"C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\east.exe"C:\Users\Admin\AppData\Local\Temp\east.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart4⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"3⤵
- Launches sc.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1040,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:81⤵
-
C:\ProgramData\Google\Chrome\updater.exeC:\ProgramData\Google\Chrome\updater.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc2⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcaowz1r.rkz.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\east.exeFilesize
5.1MB
MD553fc8153edf492734d97158afd8644a5
SHA1682296b14eddb32ccadaaecc098b497539393b94
SHA2560cbef477e60c59c62f64fe6760ebcf4325c479a957a5622a66feabb0cf50befc
SHA512bda8742db17f89534e2c8a3c53a14d31cb52179cfe06bf24114690046eae42ccb67394e054eb4a53df28b0e0ff5a7ebeb2d23c809b7d40579d988a695c3981eb
-
C:\Users\Admin\AppData\Local\Temp\tmpB0D.tmpFilesize
46KB
MD58f5942354d3809f865f9767eddf51314
SHA120be11c0d42fc0cef53931ea9152b55082d1a11e
SHA256776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea
SHA512fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218
-
C:\Users\Admin\AppData\Local\Temp\tmpB42.tmpFilesize
100KB
MD5baa675ce4124ca3fc5033e2a2c53dbd1
SHA12dcc5513270c723fff6148dd2f8196081f83bb16
SHA25622cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4
SHA512047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec
-
C:\Users\Admin\AppData\Local\Temp\tmpB6D.tmpFilesize
56KB
MD55be7f6f434724dfcc01e8b2b0e753bbe
SHA1ef1078290de6b5700ff6e804a79beba16c99ba3e
SHA2564064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196
SHA5123b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2
-
C:\Users\Admin\AppData\Local\Temp\tmpB83.tmpFilesize
228KB
MD513884ff020a99ee23a59f4f9f855f3e3
SHA1d69d9c491ff8c42ed1bb05693edbfa6aa571cb7e
SHA2563efa47d5a493132e6f00afef7ee29e583f10d1022f98b99d021498e968eb9d9c
SHA5122ab0190602ed47c63c0208ef04ba83fec765e47db14f114af7b5a02fdcdaed6d0ee3f7291ea5102d4dd8ae5e859063fc3c9f52c94b6bf23735e0f780b8c001de
-
C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
C:\Windows\system32\drivers\etc\hostsFilesize
3KB
MD500930b40cba79465b7a38ed0449d1449
SHA14b25a89ee28b20ba162f23772ddaf017669092a5
SHA256eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01
SHA512cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62
-
memory/220-9-0x0000000006BA0000-0x00000000070CC000-memory.dmpFilesize
5.2MB
-
memory/220-14-0x0000000006A90000-0x0000000006AAE000-memory.dmpFilesize
120KB
-
memory/220-5-0x0000000004F60000-0x0000000004FAC000-memory.dmpFilesize
304KB
-
memory/220-6-0x0000000074F90000-0x0000000075740000-memory.dmpFilesize
7.7MB
-
memory/220-7-0x00000000051C0000-0x00000000052CA000-memory.dmpFilesize
1.0MB
-
memory/220-8-0x00000000064A0000-0x0000000006662000-memory.dmpFilesize
1.8MB
-
memory/220-3-0x0000000004EC0000-0x0000000004ED2000-memory.dmpFilesize
72KB
-
memory/220-10-0x0000000006670000-0x00000000066D6000-memory.dmpFilesize
408KB
-
memory/220-11-0x0000000007680000-0x0000000007C24000-memory.dmpFilesize
5.6MB
-
memory/220-12-0x00000000068E0000-0x0000000006972000-memory.dmpFilesize
584KB
-
memory/220-13-0x0000000006980000-0x00000000069F6000-memory.dmpFilesize
472KB
-
memory/220-4-0x0000000004F20000-0x0000000004F5C000-memory.dmpFilesize
240KB
-
memory/220-163-0x0000000074F9E000-0x0000000074F9F000-memory.dmpFilesize
4KB
-
memory/220-164-0x0000000074F90000-0x0000000075740000-memory.dmpFilesize
7.7MB
-
memory/220-2-0x0000000005470000-0x0000000005A88000-memory.dmpFilesize
6.1MB
-
memory/220-174-0x0000000074F90000-0x0000000075740000-memory.dmpFilesize
7.7MB
-
memory/220-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmpFilesize
4KB
-
memory/220-1-0x00000000004F0000-0x000000000050E000-memory.dmpFilesize
120KB
-
memory/1340-176-0x000001F740220000-0x000001F740242000-memory.dmpFilesize
136KB
-
memory/1340-186-0x00007FFFE4810000-0x00007FFFE52D1000-memory.dmpFilesize
10.8MB
-
memory/1340-187-0x00007FFFE4810000-0x00007FFFE52D1000-memory.dmpFilesize
10.8MB
-
memory/1340-190-0x00007FFFE4810000-0x00007FFFE52D1000-memory.dmpFilesize
10.8MB
-
memory/1340-175-0x00007FFFE4813000-0x00007FFFE4815000-memory.dmpFilesize
8KB
-
memory/2168-215-0x000001D09BA10000-0x000001D09BA1A000-memory.dmpFilesize
40KB
-
memory/2168-214-0x000001D09BE60000-0x000001D09BF15000-memory.dmpFilesize
724KB
-
memory/2168-216-0x000001D09C060000-0x000001D09C07C000-memory.dmpFilesize
112KB
-
memory/2168-217-0x000001D09BA20000-0x000001D09BA2A000-memory.dmpFilesize
40KB
-
memory/2168-218-0x000001D09C080000-0x000001D09C09A000-memory.dmpFilesize
104KB
-
memory/2168-219-0x000001D09BA30000-0x000001D09BA38000-memory.dmpFilesize
32KB
-
memory/2168-220-0x000001D09BA40000-0x000001D09BA46000-memory.dmpFilesize
24KB
-
memory/2168-221-0x000001D09C0A0000-0x000001D09C0AA000-memory.dmpFilesize
40KB
-
memory/2168-213-0x000001D09B9F0000-0x000001D09BA0C000-memory.dmpFilesize
112KB
-
memory/4172-228-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4172-233-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4172-230-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4172-226-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4172-227-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4172-229-0x0000000140000000-0x000000014000E000-memory.dmpFilesize
56KB
-
memory/4412-236-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-242-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-246-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-244-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-239-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-237-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-241-0x0000000001660000-0x0000000001680000-memory.dmpFilesize
128KB
-
memory/4412-234-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-243-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-245-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-240-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-238-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-235-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-247-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-248-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-249-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-250-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-251-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB
-
memory/4412-252-0x0000000140000000-0x0000000140848000-memory.dmpFilesize
8.3MB