redline | bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Size

95KB
MD5

735c15c37831cdc319c03f4f7971da49
SHA1

166949cdb534d97c564adc27f297406a4bf38204
SHA256

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6
SHA512

3c9227b9472d7840f74363b9801756923de56fcff5349f6e287206531c0da4717a9de520322d122bef30f7b66fdbeaac715ebbe64389de89b1c7d5e832e87ac8
SSDEEP

1536:9qskXqrzWBlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2OtmulgS6pY:rCgzWHY3+zi0ZbYe1g0ujyzd6Y

Score

10^/10

redline sectoprat xmrig exodus discovery evasion execution infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

exodus

94.156.8.229:1334

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/220-1-0x00000000004F0000-0x000000000050E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/220-1-0x00000000004F0000-0x000000000050E000-memory.dmp	family_sectoprat

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/220-1-0x00000000004F0000-0x000000000050E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

UPX dump on OEP (original entry point) 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4412-235-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-238-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-240-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-242-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-243-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-245-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-246-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-244-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-239-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-237-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-236-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-247-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-248-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-249-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-250-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-251-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/4412-252-0x0000000140000000-0x0000000140848000-memory.dmp	UPX

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4412-240-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-242-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-243-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-245-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-246-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-244-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-239-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-247-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-248-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-249-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-250-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-251-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/4412-252-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1340 powershell.exe
2168 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

east.exeupdater.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts east.exe
File created C:\Windows\system32\drivers\etc\hosts updater.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
1340	powershell.exe
2168	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	east.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe

Executes dropped EXE 2 IoCs

Processes:

east.exeupdater.exe

pid process

2056 east.exe
3036 updater.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2056	east.exe
3036	updater.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4412-234-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-235-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-238-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-240-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-242-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-243-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-245-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-246-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-244-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-239-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-237-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-236-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-247-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-248-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-249-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-250-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-251-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/4412-252-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

powershell.exeupdater.exeeast.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	east.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 3036 set thread context of 4172	3036	updater.exe	conhost.exe
PID 3036 set thread context of 4412	3036	updater.exe	explorer.exe

Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

4948 sc.exe
4860 sc.exe
3536 sc.exe
540 sc.exe
436 sc.exe
2196 sc.exe
3828 sc.exe
1712 sc.exe
224 sc.exe
1980 sc.exe
884 sc.exe
2320 sc.exe
3960 sc.exe
4108 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4948	sc.exe
4860	sc.exe
3536	sc.exe
540	sc.exe
436	sc.exe
2196	sc.exe
3828	sc.exe
1712	sc.exe
224	sc.exe
1980	sc.exe
884	sc.exe
2320	sc.exe
3960	sc.exe
4108	sc.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exeeast.exepowershell.exeupdater.exepowershell.exeexplorer.exe

pid	process
220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
2056	east.exe
1340	powershell.exe
1340	powershell.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
2056	east.exe
3036	updater.exe
2168	powershell.exe
2168	powershell.exe
3036	updater.exe
3036	updater.exe
3036	updater.exe
3036	updater.exe
3036	updater.exe
3036	updater.exe
3036	updater.exe
3036	updater.exe
3036	updater.exe
3036	updater.exe
3036	updater.exe
3036	updater.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe
4412	explorer.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeShutdownPrivilege	4516	powercfg.exe
Token: SeCreatePagefilePrivilege	4516	powercfg.exe
Token: SeShutdownPrivilege	2632	powercfg.exe
Token: SeCreatePagefilePrivilege	2632	powercfg.exe
Token: SeShutdownPrivilege	1232	powercfg.exe
Token: SeCreatePagefilePrivilege	1232	powercfg.exe
Token: SeShutdownPrivilege	3652	powercfg.exe
Token: SeCreatePagefilePrivilege	3652	powercfg.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeShutdownPrivilege	4364	powercfg.exe
Token: SeCreatePagefilePrivilege	4364	powercfg.exe
Token: SeShutdownPrivilege	2400	powercfg.exe
Token: SeCreatePagefilePrivilege	2400	powercfg.exe
Token: SeShutdownPrivilege	2528	powercfg.exe
Token: SeCreatePagefilePrivilege	2528	powercfg.exe
Token: SeShutdownPrivilege	3132	powercfg.exe
Token: SeCreatePagefilePrivilege	3132	powercfg.exe
Token: SeLockMemoryPrivilege	4412	explorer.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.execmd.execmd.exeupdater.exe

description	pid	process	target process
PID 220 wrote to memory of 2056	220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe	east.exe
PID 220 wrote to memory of 2056	220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe	east.exe
PID 3952 wrote to memory of 4488	3952	cmd.exe	wusa.exe
PID 3952 wrote to memory of 4488	3952	cmd.exe	wusa.exe
PID 2848 wrote to memory of 5028	2848	cmd.exe	wusa.exe
PID 2848 wrote to memory of 5028	2848	cmd.exe	wusa.exe
PID 3036 wrote to memory of 4172	3036	updater.exe	conhost.exe
PID 3036 wrote to memory of 4172	3036	updater.exe	conhost.exe
PID 3036 wrote to memory of 4172	3036	updater.exe	conhost.exe
PID 3036 wrote to memory of 4172	3036	updater.exe	conhost.exe
PID 3036 wrote to memory of 4172	3036	updater.exe	conhost.exe
PID 3036 wrote to memory of 4172	3036	updater.exe	conhost.exe
PID 3036 wrote to memory of 4172	3036	updater.exe	conhost.exe
PID 3036 wrote to memory of 4172	3036	updater.exe	conhost.exe
PID 3036 wrote to memory of 4172	3036	updater.exe	conhost.exe
PID 3036 wrote to memory of 4412	3036	updater.exe	explorer.exe
PID 3036 wrote to memory of 4412	3036	updater.exe	explorer.exe
PID 3036 wrote to memory of 4412	3036	updater.exe	explorer.exe
PID 3036 wrote to memory of 4412	3036	updater.exe	explorer.exe
PID 3036 wrote to memory of 4412	3036	updater.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
"C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\east.exe
"C:\Users\Admin\AppData\Local\Temp\east.exe"
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:4488

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:1712

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:224

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:1980

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:3536

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:540

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
3⤵
- Launches sc.exe
PID:436

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2196

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:884

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
3⤵
- Launches sc.exe
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1040,i,4686244434963378549,11462511444150484980,262144 --variations-seed-version --mojo-platform-channel-handle=4356 /prefetch:8
1⤵
PID:3088

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:5028

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:4948

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2320

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:4860

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:4108

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:3960

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3132

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4172

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4412

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lcaowz1r.rkz.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\east.exe
Filesize
5.1MB

MD5
53fc8153edf492734d97158afd8644a5

SHA1
682296b14eddb32ccadaaecc098b497539393b94

SHA256
0cbef477e60c59c62f64fe6760ebcf4325c479a957a5622a66feabb0cf50befc

SHA512
bda8742db17f89534e2c8a3c53a14d31cb52179cfe06bf24114690046eae42ccb67394e054eb4a53df28b0e0ff5a7ebeb2d23c809b7d40579d988a695c3981eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB0D.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB42.tmp
Filesize
100KB

MD5
baa675ce4124ca3fc5033e2a2c53dbd1

SHA1
2dcc5513270c723fff6148dd2f8196081f83bb16

SHA256
22cc36f18e7df98e3c58cd6fce492688970d4a5d1fb1865e5749b76138cdd9f4

SHA512
047d4d9a7d415d5a4814acc42f9148c0de7ec34c5d53cc90cdcbb218406b343a3c5a1f5ec4cc3b8ccca6b7f08ed0115b7e568a5141e1335c2a2a6ed2682b45ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB6D.tmp
Filesize
56KB

MD5
5be7f6f434724dfcc01e8b2b0e753bbe

SHA1
ef1078290de6b5700ff6e804a79beba16c99ba3e

SHA256
4064b300ca1a67a3086e1adb18001c0017384b8f84ff4c0e693858889cef2196

SHA512
3b470c3ad5be3dd7721548021a818034584bbd88237b1710ce52ac67e04126fff4592c02f5868ebda72f662ec8c5f7fc4d0a458f49fe5eb47e024a5c50935ee2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB83.tmp
Filesize
228KB

MD5
13884ff020a99ee23a59f4f9f855f3e3

SHA1
d69d9c491ff8c42ed1bb05693edbfa6aa571cb7e

SHA256
3efa47d5a493132e6f00afef7ee29e583f10d1022f98b99d021498e968eb9d9c

SHA512
2ab0190602ed47c63c0208ef04ba83fec765e47db14f114af7b5a02fdcdaed6d0ee3f7291ea5102d4dd8ae5e859063fc3c9f52c94b6bf23735e0f780b8c001de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBAE.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
3KB

MD5
00930b40cba79465b7a38ed0449d1449

SHA1
4b25a89ee28b20ba162f23772ddaf017669092a5

SHA256
eda1aae2c8fce700e3bdbe0186cf3db88400cf0ac13ec736e84dacba61628a01

SHA512
cbe4760ec041e7da7ab86474d5c82969cfccb8ccc5dbdac9436862d5b1b86210ab90754d3c8da5724176570d8842e57a716a281acba8719e90098a6f61a17c62

Download Submit
memory/220-9-0x0000000006BA0000-0x00000000070CC000-memory.dmp

Filesize
5.2MB

Download
memory/220-14-0x0000000006A90000-0x0000000006AAE000-memory.dmp

Filesize
120KB

Download
memory/220-5-0x0000000004F60000-0x0000000004FAC000-memory.dmp

Filesize
304KB

Download
memory/220-6-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/220-7-0x00000000051C0000-0x00000000052CA000-memory.dmp

Filesize
1.0MB

Download
memory/220-8-0x00000000064A0000-0x0000000006662000-memory.dmp

Filesize
1.8MB

Download
memory/220-3-0x0000000004EC0000-0x0000000004ED2000-memory.dmp

Filesize
72KB

Download
memory/220-10-0x0000000006670000-0x00000000066D6000-memory.dmp

Filesize
408KB

Download
memory/220-11-0x0000000007680000-0x0000000007C24000-memory.dmp

Filesize
5.6MB

Download
memory/220-12-0x00000000068E0000-0x0000000006972000-memory.dmp

Filesize
584KB

Download
memory/220-13-0x0000000006980000-0x00000000069F6000-memory.dmp

Filesize
472KB

Download
memory/220-4-0x0000000004F20000-0x0000000004F5C000-memory.dmp

Filesize
240KB

Download
memory/220-163-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/220-164-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/220-2-0x0000000005470000-0x0000000005A88000-memory.dmp

Filesize
6.1MB

Download
memory/220-174-0x0000000074F90000-0x0000000075740000-memory.dmp

Filesize
7.7MB

Download
memory/220-0-0x0000000074F9E000-0x0000000074F9F000-memory.dmp

Filesize
4KB

Download
memory/220-1-0x00000000004F0000-0x000000000050E000-memory.dmp

Filesize
120KB

Download
memory/1340-176-0x000001F740220000-0x000001F740242000-memory.dmp

Filesize
136KB

Download
memory/1340-186-0x00007FFFE4810000-0x00007FFFE52D1000-memory.dmp

Filesize
10.8MB

Download
memory/1340-187-0x00007FFFE4810000-0x00007FFFE52D1000-memory.dmp

Filesize
10.8MB

Download
memory/1340-190-0x00007FFFE4810000-0x00007FFFE52D1000-memory.dmp

Filesize
10.8MB

Download
memory/1340-175-0x00007FFFE4813000-0x00007FFFE4815000-memory.dmp

Filesize
8KB

Download
memory/2168-215-0x000001D09BA10000-0x000001D09BA1A000-memory.dmp

Filesize
40KB

Download
memory/2168-214-0x000001D09BE60000-0x000001D09BF15000-memory.dmp

Filesize
724KB

Download
memory/2168-216-0x000001D09C060000-0x000001D09C07C000-memory.dmp

Filesize
112KB

Download
memory/2168-217-0x000001D09BA20000-0x000001D09BA2A000-memory.dmp

Filesize
40KB

Download
memory/2168-218-0x000001D09C080000-0x000001D09C09A000-memory.dmp

Filesize
104KB

Download
memory/2168-219-0x000001D09BA30000-0x000001D09BA38000-memory.dmp

Filesize
32KB

Download
memory/2168-220-0x000001D09BA40000-0x000001D09BA46000-memory.dmp

Filesize
24KB

Download
memory/2168-221-0x000001D09C0A0000-0x000001D09C0AA000-memory.dmp

Filesize
40KB

Download
memory/2168-213-0x000001D09B9F0000-0x000001D09BA0C000-memory.dmp

Filesize
112KB

Download
memory/4172-228-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4172-233-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4172-230-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4172-226-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4172-227-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4172-229-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4412-236-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-242-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-246-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-244-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-239-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-237-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-241-0x0000000001660000-0x0000000001680000-memory.dmp

Filesize
128KB

Download
memory/4412-234-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-243-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-245-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-240-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-238-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-235-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-247-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-248-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-249-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-250-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-251-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/4412-252-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download