redline | bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Size

95KB
MD5

735c15c37831cdc319c03f4f7971da49
SHA1

166949cdb534d97c564adc27f297406a4bf38204
SHA256

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6
SHA512

3c9227b9472d7840f74363b9801756923de56fcff5349f6e287206531c0da4717a9de520322d122bef30f7b66fdbeaac715ebbe64389de89b1c7d5e832e87ac8
SSDEEP

1536:9qskXqrzWBlbG6jejoigI343Ywzi0Zb78ivombfexv0ujXyyed2OtmulgS6pY:rCgzWHY3+zi0ZbYe1g0ujyzd6Y

Score

10^/10

redline sectoprat xmrig exodus discovery evasion execution infostealer miner persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

exodus

94.156.8.229:1334

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2220-1-0x0000000000210000-0x000000000022E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2220-1-0x0000000000210000-0x000000000022E000-memory.dmp	family_sectoprat

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 13 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2984-194-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-197-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-201-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-195-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-200-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-199-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-198-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-202-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-203-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-204-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-205-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-206-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/2984-207-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

956 powershell.exe
1684 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Drops file in Drivers directory 2 IoCs

Processes:

updater.exeeast.exe

description ioc process

File created C:\Windows\system32\drivers\etc\hosts updater.exe
File created C:\Windows\system32\drivers\etc\hosts east.exe
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

east.exeupdater.exe

pid process

2356 east.exe
480
1728 updater.exe

pid	process
956	powershell.exe
1684	powershell.exe

description	ioc	process
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe
File created	C:\Windows\system32\drivers\etc\hosts	east.exe

pid	process
2356	east.exe
480
1728	updater.exe

Loads dropped DLL 3 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe

pid	process
2220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
2220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
480

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2984-191-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-189-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-194-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-197-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-201-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-195-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-200-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-199-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-198-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-193-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-192-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-190-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-202-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-203-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-204-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-205-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-206-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/2984-207-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 4 IoCs

Processes:

east.exepowershell.exeupdater.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	east.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

updater.exe

description	pid	process	target process
PID 1728 set thread context of 308	1728	updater.exe	conhost.exe
PID 1728 set thread context of 2984	1728	updater.exe	explorer.exe

Drops file in Windows directory 2 IoCs

Processes:

wusa.exewusa.exe

description ioc process

File created C:\Windows\wusa.lock wusa.exe
File created C:\Windows\wusa.lock wusa.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid	process
1096	sc.exe
2160	sc.exe
2588	sc.exe
2940	sc.exe
2688	sc.exe
2684	sc.exe
2884	sc.exe
2916	sc.exe
2156	sc.exe
2032	sc.exe
2116	sc.exe
556	sc.exe
1880	sc.exe
3048	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 504ca1cf1aa6da01	powershell.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exeeast.exepowershell.exeupdater.exepowershell.exeexplorer.exe

pid	process
2220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
2220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
2356	east.exe
956	powershell.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
2356	east.exe
1728	updater.exe
1684	powershell.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
1728	updater.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe
2984	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeShutdownPrivilege	1860	powercfg.exe
Token: SeShutdownPrivilege	1036	powercfg.exe
Token: SeShutdownPrivilege	2088	powercfg.exe
Token: SeShutdownPrivilege	820	powercfg.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeShutdownPrivilege	2732	powercfg.exe
Token: SeShutdownPrivilege	2468	powercfg.exe
Token: SeShutdownPrivilege	2824	powercfg.exe
Token: SeShutdownPrivilege	2832	powercfg.exe
Token: SeLockMemoryPrivilege	2984	explorer.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.execmd.execmd.exeupdater.exe

description	pid	process	target process
PID 2220 wrote to memory of 2356	2220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe	east.exe
PID 2220 wrote to memory of 2356	2220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe	east.exe
PID 2220 wrote to memory of 2356	2220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe	east.exe
PID 2220 wrote to memory of 2356	2220	bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe	east.exe
PID 616 wrote to memory of 2288	616	cmd.exe	wusa.exe
PID 616 wrote to memory of 2288	616	cmd.exe	wusa.exe
PID 616 wrote to memory of 2288	616	cmd.exe	wusa.exe
PID 3032 wrote to memory of 2536	3032	cmd.exe	wusa.exe
PID 3032 wrote to memory of 2536	3032	cmd.exe	wusa.exe
PID 3032 wrote to memory of 2536	3032	cmd.exe	wusa.exe
PID 1728 wrote to memory of 308	1728	updater.exe	conhost.exe
PID 1728 wrote to memory of 308	1728	updater.exe	conhost.exe
PID 1728 wrote to memory of 308	1728	updater.exe	conhost.exe
PID 1728 wrote to memory of 308	1728	updater.exe	conhost.exe
PID 1728 wrote to memory of 308	1728	updater.exe	conhost.exe
PID 1728 wrote to memory of 308	1728	updater.exe	conhost.exe
PID 1728 wrote to memory of 308	1728	updater.exe	conhost.exe
PID 1728 wrote to memory of 308	1728	updater.exe	conhost.exe
PID 1728 wrote to memory of 308	1728	updater.exe	conhost.exe
PID 1728 wrote to memory of 2984	1728	updater.exe	explorer.exe
PID 1728 wrote to memory of 2984	1728	updater.exe	explorer.exe
PID 1728 wrote to memory of 2984	1728	updater.exe	explorer.exe
PID 1728 wrote to memory of 2984	1728	updater.exe	explorer.exe
PID 1728 wrote to memory of 2984	1728	updater.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe
"C:\Users\Admin\AppData\Local\Temp\bb762ded17b408634ecd0675d9e823cebd7984cca8cfc53afe5f3665cde3dee6.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Users\Admin\AppData\Local\Temp\east.exe
  "C:\Users\Admin\AppData\Local\Temp\east.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2356
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:616
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Drops file in Windows directory
      PID:2288
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:556
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1096
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2160
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1880
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:2884
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1860
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1036
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2088
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:3048
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:2032
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2940
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
    3⤵
    - Launches sc.exe
    PID:2916

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    - Drops file in Windows directory
    PID:2536
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:2116
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:2688
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2588
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:2684
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2156
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2468
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2824
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:308
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2f59cb121476103b926ae9a32219f187

SHA1
bb6b96a4363a4d4e25b72f8dd318072addfd4529

SHA256
6eaca65ffbe67a6648cd46128d8db2f6623d2712c456bedbcc6b6a72411b56f9

SHA512
bdbac2961580e1a192fe2789c08a6fd87bc52dbaf0c45464d85b24ca15edf3f3435c72b86117377ede4c3c6638a58d11029ee8e6a3ea9bb20518f89fcc3a5f7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab41E2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar42E3.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\east.exe

Filesize
5.1MB

MD5
53fc8153edf492734d97158afd8644a5

SHA1
682296b14eddb32ccadaaecc098b497539393b94

SHA256
0cbef477e60c59c62f64fe6760ebcf4325c479a957a5622a66feabb0cf50befc

SHA512
bda8742db17f89534e2c8a3c53a14d31cb52179cfe06bf24114690046eae42ccb67394e054eb4a53df28b0e0ff5a7ebeb2d23c809b7d40579d988a695c3981eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp44ED.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4502.tmp

Filesize
92KB

MD5
cca646afddab881d02bb60864ff72e23

SHA1
25b462e62a0219857cc854f6433e8acea77e3dbc

SHA256
c7223e5de0b0db22b3e193b2d48215816c75472ccdf9330a0ab66d4731b2e49e

SHA512
c35da6cfe5e4a3f887a876b38b4e5b9e6d5c035cf8d6f20158f89ee14a196941fd6a29faa1f90f64cd253556536670773ec15cd358014d994483a8745c41587d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
3e9af076957c5b2f9c9ce5ec994bea05

SHA1
a8c7326f6bceffaeed1c2bb8d7165e56497965fe

SHA256
e332ebfed27e0bb08b84dfda05acc7f0fa1b6281678e0120c5b7c893a75df47e

SHA512
933ba0d69e7b78537348c0dc1bf83fb069f98bb93d31c638dc79c4a48d12d879c474bd61e3cbde44622baef5e20fb92ebf16c66128672e4a6d4ee20afbf9d01f

Download Submit
memory/308-185-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/308-187-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/308-180-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/308-181-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/308-182-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/308-183-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/956-168-0x000000001B480000-0x000000001B762000-memory.dmp

Filesize
2.9MB

Download
memory/956-169-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1684-176-0x0000000019F40000-0x000000001A222000-memory.dmp

Filesize
2.9MB

Download
memory/1684-177-0x00000000009E0000-0x00000000009E8000-memory.dmp

Filesize
32KB

Download
memory/2220-154-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-163-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-0-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2220-153-0x0000000074DCE000-0x0000000074DCF000-memory.dmp

Filesize
4KB

Download
memory/2220-2-0x0000000074DC0000-0x00000000754AE000-memory.dmp

Filesize
6.9MB

Download
memory/2220-1-0x0000000000210000-0x000000000022E000-memory.dmp

Filesize
120KB

Download
memory/2984-199-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-196-0x00000000001B0000-0x00000000001D0000-memory.dmp

Filesize
128KB

Download
memory/2984-194-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-197-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-201-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-195-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-200-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-191-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-198-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-189-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-193-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-192-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-190-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-202-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-203-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-204-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-205-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-206-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2984-207-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download