redline | f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19

Analysis

max time kernel
298s
max time network
292s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe
Size

596KB
MD5

1d3535cc01b2cc54b808a55e945707a0
SHA1

a9a563b8ee37f17c847248bb207b28086d9f4628
SHA256

f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19
SHA512

4c344a2abc7ace17a3fced1e3fcf09ac959b47d8bc1a5bf4280d46c3dccd015254a42ce722f93bbbe28f9866696db685df6209b4e863fa9e02772753eeb2ebbc
SSDEEP

12288:15/Sm4/r42toIX4IaZo2BOtdMKX8MbICwAvV6LwfAnxMlpxxWmBNIg9SWvAK:70/rX8IJ2BwNQcfAnxgDzBx

Score

10^/10

redline sectoprat xworm vic discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
taskmgr.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

Vic

beshomandotestbesnd.run.place:1111

Signatures

Detect Xworm Payload 3 IoCs

Processes:

resource	yara_rule
\ProgramData\system.exe	family_xworm
behavioral1/memory/2760-137-0x0000000000020000-0x000000000003A000-memory.dmp	family_xworm
behavioral1/memory/2752-355-0x0000000000F60000-0x0000000000F7A000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
\ProgramData\build.exe	family_redline
behavioral1/memory/1868-136-0x0000000000A40000-0x0000000000A5E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
\ProgramData\build.exe	family_sectoprat
behavioral1/memory/1868-136-0x0000000000A40000-0x0000000000A5E000-memory.dmp	family_sectoprat

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

1644 powershell.exe
2428 powershell.exe
2504 powershell.exe
2220 powershell.exe

pid	process
1644	powershell.exe
2428	powershell.exe
2504	powershell.exe
2220	powershell.exe

.NET Reactor proctector 35 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/1964-5-0x0000000004900000-0x0000000004966000-memory.dmp	net_reactor
behavioral1/memory/1964-6-0x00000000049B0000-0x0000000004A14000-memory.dmp	net_reactor
behavioral1/memory/1964-7-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-8-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-10-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-12-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-14-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-16-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-18-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-22-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-28-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-32-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-30-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-26-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-24-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-20-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-54-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-70-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-68-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-66-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-64-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-62-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-60-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-58-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-56-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-52-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-50-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-48-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-46-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-44-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-42-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-40-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-38-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-36-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor
behavioral1/memory/1964-34-0x00000000049B0000-0x0000000004A0F000-memory.dmp	net_reactor

Drops startup file 2 IoCs

Processes:

system.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.lnk	system.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\taskmgr.lnk	system.exe

Executes dropped EXE 7 IoCs

Processes:

system.exebuild.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exe

pid process

2760 system.exe
1868 build.exe
2752 taskmgr.exe
1444 taskmgr.exe
464 taskmgr.exe
2908 taskmgr.exe
2792 taskmgr.exe

pid	process
2760	system.exe
1868	build.exe
2752	taskmgr.exe
1444	taskmgr.exe
464	taskmgr.exe
2908	taskmgr.exe
2792	taskmgr.exe

Loads dropped DLL 2 IoCs

Processes:

f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe

pid	process
1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe
1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

system.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskmgr = "C:\\ProgramData\\taskmgr.exe"	system.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3036 schtasks.exe

flow	ioc
4	ip-api.com

pid	process
3036	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

build.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	build.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	build.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	build.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	build.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

system.exe

pid process

2760 system.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exesystem.exebuild.exe

pid process

2504 powershell.exe
2220 powershell.exe
1644 powershell.exe
2428 powershell.exe
2760 system.exe
1868 build.exe
1868 build.exe

pid	process
2760	system.exe

pid	process
2504	powershell.exe
2220	powershell.exe
1644	powershell.exe
2428	powershell.exe
2760	system.exe
1868	build.exe
1868	build.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exesystem.exebuild.exepowershell.exepowershell.exepowershell.exepowershell.exetaskmgr.exetaskmgr.exetaskmgr.exetaskmgr.exe

description	pid	process
Token: SeDebugPrivilege	1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe
Token: SeDebugPrivilege	2760	system.exe
Token: SeDebugPrivilege	1868	build.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2760	system.exe
Token: SeDebugPrivilege	2752	taskmgr.exe
Token: SeDebugPrivilege	1444	taskmgr.exe
Token: SeDebugPrivilege	2908	taskmgr.exe
Token: SeDebugPrivilege	2792	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

system.exe

pid process

2760 system.exe

pid	process
2760	system.exe

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exesystem.exetaskeng.exe

description	pid	process	target process
PID 1964 wrote to memory of 2760	1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	system.exe
PID 1964 wrote to memory of 2760	1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	system.exe
PID 1964 wrote to memory of 2760	1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	system.exe
PID 1964 wrote to memory of 2760	1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	system.exe
PID 1964 wrote to memory of 1868	1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	build.exe
PID 1964 wrote to memory of 1868	1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	build.exe
PID 1964 wrote to memory of 1868	1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	build.exe
PID 1964 wrote to memory of 1868	1964	f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe	build.exe
PID 2760 wrote to memory of 2504	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 2504	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 2504	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 2220	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 2220	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 2220	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 1644	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 1644	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 1644	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 2428	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 2428	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 2428	2760	system.exe	powershell.exe
PID 2760 wrote to memory of 3036	2760	system.exe	schtasks.exe
PID 2760 wrote to memory of 3036	2760	system.exe	schtasks.exe
PID 2760 wrote to memory of 3036	2760	system.exe	schtasks.exe
PID 2912 wrote to memory of 2752	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 2752	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 2752	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 1444	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 1444	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 1444	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 464	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 464	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 464	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 2908	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 2908	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 2908	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 2792	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 2792	2912	taskeng.exe	taskmgr.exe
PID 2912 wrote to memory of 2792	2912	taskeng.exe	taskmgr.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe
"C:\Users\Admin\AppData\Local\Temp\f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\ProgramData\system.exe
"C:\ProgramData\system.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\system.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"
3⤵
- Creates scheduled task(s)
PID:3036

C:\ProgramData\build.exe
"C:\ProgramData\build.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\taskeng.exe
taskeng.exe {7BDFE3EA-A97A-48EF-80D8-E0DA109D334F} S-1-5-21-3691908287-3775019229-3534252667-1000:UOTHCPHQ\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2912

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
2⤵
- Executes dropped EXE
PID:464

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\ProgramData\taskmgr.exe
C:\ProgramData\taskmgr.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
ea87f65949b4998cf5e34c05dbeb8947

SHA1
a553c2e7c1247c558382b11a91c7ad71bddb6ea8

SHA256
a22d71c9070ae670a75d7ba4784562090daf56fd0d04d7e7ac369d349681927a

SHA512
3ce0e1d1eab134b97134f075e6ca90897b63e5582c233f76432bd6b247479f298d54018937e8086fb7f5381d2df4e4276dfed552729c9d8f9ec6cbac108f9e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3610.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3671.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E4B.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3E60.tmp
Filesize
92KB

MD5
5f914a013176785e26d70d07234c605c

SHA1
5336e9ed6aeb682b46a0472f4f80ec24c4504210

SHA256
72b56bbce7e5e07702bf46a002c75cb3a8994fd390b190b989628d387d21975b

SHA512
103eff502bec0df1a36bd19a97ca1d10cc34da2183480fe146434ec916020011c8af003b66ab5f6f4886e95b21749be8d8c3c3ebf3ae1b2e5c6db216e8b4e1b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7ST0X332H2XH3DR16HKN.temp
Filesize
7KB

MD5
bcbf777db52c1223dba98b215f8b187e

SHA1
f620be010f61eadf44b2597330f155b5212da54c

SHA256
9bd5399af0dcf7588b521704f605f183424e8e79526759981f8b5bfdd4c51624

SHA512
440aa0b60b5e6bb11f189575640e4406c06a893ae17e17578cf074476de88c1ca701142cbadb19192beef274088642069a669f4fea2ef7fdf497aecd06da5d88

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\build.exe
Filesize
95KB

MD5
16280875fdcf55ab4c8f1dff6dabc72e

SHA1
39880e6fbb258f4f4fa5c79337ec893acae55fb7

SHA256
91455ac8837ff1fdba7067cd3e7f790c1649ae70164ccbdf0483eae831a7253a

SHA512
53ba4e5e88a8f19ba3faa2f1244501c2d62827a9178ec0fdc995582e03e7d8e39f2dfd7bde11285781a65a021d4f4aab48b94be66a8a1cebbd47ab0cb819202e

Download Submit
\ProgramData\system.exe
Filesize
75KB

MD5
70b9f8ef4c4ce24fe372b292aebcd138

SHA1
5fd7ce9318727b27db0dd50effbb632686d53f8c

SHA256
15af516d88e83cfc8d3deebe7aeb9ccaebc558fc93544ef31b612113fcce907b

SHA512
b4658ccb665aa9f43cc049a51c477a0b314c5c13d254d648e34f9feca9feb06021bbf271857f73998e31cc7f877fa5457fbe7420beb58f3563fbfbe121a4cbad

Download Submit
memory/1868-348-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/1868-349-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-351-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-138-0x0000000074D30000-0x000000007541E000-memory.dmp

Filesize
6.9MB

Download
memory/1868-136-0x0000000000A40000-0x0000000000A5E000-memory.dmp

Filesize
120KB

Download
memory/1868-135-0x0000000074D3E000-0x0000000074D3F000-memory.dmp

Filesize
4KB

Download
memory/1964-46-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-28-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-26-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-24-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-20-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-54-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-70-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-68-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-66-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-64-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-62-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-60-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-58-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-56-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-52-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-50-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-48-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-1-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/1964-44-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-42-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-40-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-38-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-36-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-34-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-32-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-30-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-3-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1964-132-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1964-131-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/1964-130-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/1964-22-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-18-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-2-0x0000000000310000-0x0000000000398000-memory.dmp

Filesize
544KB

Download
memory/1964-16-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-4-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1964-5-0x0000000004900000-0x0000000004966000-memory.dmp

Filesize
408KB

Download
memory/1964-6-0x00000000049B0000-0x0000000004A14000-memory.dmp

Filesize
400KB

Download
memory/1964-14-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-7-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-8-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-12-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/1964-10-0x00000000049B0000-0x0000000004A0F000-memory.dmp

Filesize
380KB

Download
memory/2220-152-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2220-151-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/2504-145-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2504-144-0x000000001B800000-0x000000001BAE2000-memory.dmp

Filesize
2.9MB

Download
memory/2752-355-0x0000000000F60000-0x0000000000F7A000-memory.dmp

Filesize
104KB

Download
memory/2760-347-0x000007FEF6193000-0x000007FEF6194000-memory.dmp

Filesize
4KB

Download
memory/2760-139-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/2760-137-0x0000000000020000-0x000000000003A000-memory.dmp

Filesize
104KB

Download
memory/2760-350-0x000000001B2F0000-0x000000001B370000-memory.dmp

Filesize
512KB

Download
memory/2760-134-0x000007FEF6193000-0x000007FEF6194000-memory.dmp

Filesize
4KB

Download