redline | 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Size

515KB
MD5

148b2c38cf0726535d760a703f803c80
SHA1

107503ca149f547d4745fe9b9a3fbae03d60126c
SHA256

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d
SHA512

6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd
SSDEEP

12288:EMbx504bFjsNfn8lmwaYy//2hWc8CYBMQI4aqNA:Lbw4bR689aYy//2hDPYBMQI4aqN

Score

10^/10

redline sectoprat xworm docx discovery execution infostealer persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:7000

beshomandotestbesnd.run.place:7000

Attributes

Install_directory
%ProgramData%
install_file
cmd.exe
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

DOCX

beshomandotestbesnd.run.place:1111

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
behavioral2/memory/1560-183-0x0000000008E50000-0x0000000008E5E000-memory.dmp	disable_win_def

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1560-44-0x0000000000400000-0x0000000000418000-memory.dmp	family_xworm

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1560-179-0x0000000007680000-0x000000000769E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1560-179-0x0000000007680000-0x000000000769E000-memory.dmp	family_sectoprat

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1560-179-0x0000000007680000-0x000000000769E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1560-44-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1560-183-0x0000000008E50000-0x0000000008E5E000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables embedding registry key / value combination indicative of disabling Windows Defender features 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1560-183-0x0000000008E50000-0x0000000008E5E000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender

Detects executables using Telegram Chat Bot 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1560-44-0x0000000000400000-0x0000000000418000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TelegramChatBot

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1540	powershell.exe
1992	powershell.exe
980	powershell.exe
2928	powershell.exe
3752	powershell.exe
4208	powershell.exe
2196	powershell.exe
2044	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops startup file 2 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

Executes dropped EXE 3 IoCs

Processes:

cmd.execmd.execmd.exe

pid process

1652 cmd.exe
2356 cmd.exe
2428 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1652	cmd.exe
2356	cmd.exe
2428	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\ProgramData\\cmd.exe"	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.exe

description	pid	process	target process
PID 644 set thread context of 1560	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 1652 set thread context of 2356	1652	cmd.exe	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1564 schtasks.exe
3384 schtasks.exe
5056 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

pid process

1560 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

pid	process
1564	schtasks.exe
3384	schtasks.exe
5056	schtasks.exe

pid	process
1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.exepowershell.exepowershell.exe

pid	process
644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
1992	powershell.exe
644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
1992	powershell.exe
1992	powershell.exe
980	powershell.exe
980	powershell.exe
980	powershell.exe
644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
2928	powershell.exe
2928	powershell.exe
3752	powershell.exe
3752	powershell.exe
4208	powershell.exe
4208	powershell.exe
2196	powershell.exe
2196	powershell.exe
1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
1652	cmd.exe
2044	powershell.exe
2044	powershell.exe
1652	cmd.exe
1540	powershell.exe
1652	cmd.exe
1540	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.execmd.exe

description	pid	process
Token: SeDebugPrivilege	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	3752	powershell.exe
Token: SeDebugPrivilege	4208	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
Token: SeDebugPrivilege	1652	cmd.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	2356	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

pid process

1560 30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

pid	process
1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.execmd.exe

description	pid	process	target process
PID 644 wrote to memory of 1992	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 644 wrote to memory of 1992	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 644 wrote to memory of 1992	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 644 wrote to memory of 980	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 644 wrote to memory of 980	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 644 wrote to memory of 980	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 644 wrote to memory of 1564	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 644 wrote to memory of 1564	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 644 wrote to memory of 1564	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 644 wrote to memory of 1560	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 644 wrote to memory of 1560	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 644 wrote to memory of 1560	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 644 wrote to memory of 1560	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 644 wrote to memory of 1560	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 644 wrote to memory of 1560	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 644 wrote to memory of 1560	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 644 wrote to memory of 1560	644	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
PID 1560 wrote to memory of 2928	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 2928	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 2928	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 3752	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 3752	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 3752	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 4208	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 4208	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 4208	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 2196	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 2196	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 2196	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	powershell.exe
PID 1560 wrote to memory of 3384	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 1560 wrote to memory of 3384	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 1560 wrote to memory of 3384	1560	30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe	schtasks.exe
PID 1652 wrote to memory of 2044	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 2044	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 2044	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 1540	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 1540	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 1540	1652	cmd.exe	powershell.exe
PID 1652 wrote to memory of 5056	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 5056	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 5056	1652	cmd.exe	schtasks.exe
PID 1652 wrote to memory of 2356	1652	cmd.exe	cmd.exe
PID 1652 wrote to memory of 2356	1652	cmd.exe	cmd.exe
PID 1652 wrote to memory of 2356	1652	cmd.exe	cmd.exe
PID 1652 wrote to memory of 2356	1652	cmd.exe	cmd.exe
PID 1652 wrote to memory of 2356	1652	cmd.exe	cmd.exe
PID 1652 wrote to memory of 2356	1652	cmd.exe	cmd.exe
PID 1652 wrote to memory of 2356	1652	cmd.exe	cmd.exe
PID 1652 wrote to memory of 2356	1652	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7753.tmp"
2⤵
- Creates scheduled task(s)
PID:1564

C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
"C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"
3⤵
- Creates scheduled task(s)
PID:3384

C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD472.tmp"
2⤵
- Creates scheduled task(s)
PID:5056

C:\ProgramData\cmd.exe
"C:\ProgramData\cmd.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\ProgramData\cmd.exe
C:\ProgramData\cmd.exe
1⤵
- Executes dropped EXE
PID:2428

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cmd.exe
Filesize
515KB

MD5
148b2c38cf0726535d760a703f803c80

SHA1
107503ca149f547d4745fe9b9a3fbae03d60126c

SHA256
30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

SHA512
6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\cmd.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
2f530fe69763359284ca52b19a0f8a67

SHA1
91dc820889dce2ff70a26281af3f886e6f03522f

SHA256
8ccd94a5e09802af641e499cb24f2f8bb729f8574184484b28f56cfeb1dd65c3

SHA512
d1bb90ab1dee9f9b3e702e0308f5055336b2fb5a717d6392e8b22dc4f44ea8521be2af021e214135b80fbd2c5fe649488c276a189050680c7f6bea1ce32ab059

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
5fb884b45ca060bbec75967810944237

SHA1
f60b194e10a8885e416926bca4cfe0221beae11a

SHA256
e55ef12509bf4a5df19ef9982b4ef25fc9d2475bd438292f9a03bf3a172af3d8

SHA512
1af0608bb1663b806b8e2773bd13e6c4f455d418ad9789aefaa83577b5d04c04fd791b95301b9039bfca0d31ff4b20681cc1aa33ab61ecfe1cacb022078b1d46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
672d679d0e538434476522e103be05ef

SHA1
53ae92ff4ae9e65be78b38f32ad0c97346d4481f

SHA256
42025d1d93f24696be3db551e5acc5e7bc2d238b1e2074d5ff676120a589c257

SHA512
3a157da56e2e576d400a8dc98f62803330dd0637b364172f8a6feaa93b771acfe8de865e1aa3ed2f1928c28bba636c1db0748d1d93f26284751b9e2ff4615221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
88940ab8cd6b1de9022be531c7364903

SHA1
530f8d4017f22d3a45f61a97aa3911b788860562

SHA256
85dbcbb447908313e75e1a893d53939a2c2c2234b8c0170f7fe4569a432e8b17

SHA512
6a2cb4363b9a4be5bdfd05890941564ccec38ef1e9a888cc11ad83f4fbcdba63d026e77b31ef2ebc4e641c569f1522216d0c9cedf4814acd9107da4954ce45bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
15KB

MD5
ee4e482ccc5d0d6097cf9fe7db6a81fb

SHA1
6163390e9df6191732001377564c7009559bf6f5

SHA256
a6138cd93aa305df63c9878fa8652b21d2a9c1d4ccdb05d33d09af88d8c09ffe

SHA512
0bb0c7de57f324b999e4c25b1f2a0cc32d357ba7629f0417a507a1c4edef44090cfb3d3b0dde0eb3db2996598757628d326078b3e3693dd03fad3b2cd8c84dc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
f3addef1cb403d907e161be53380d0ea

SHA1
911c81932c4079eb07140942cbdcff89b7d6e759

SHA256
ec7e4f5d589009fc9ed83b6746b612ba3d295d05aff29576ed6f4389ae2ee07d

SHA512
e081cdb701834d18b449aac8ca607009fd24fc002cb00759071c451e3782f58d35fdd2c8ffaedb51998dc0c08dbb0a07e255964f1eec643f144199da6ebbb353

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yozyftnv.uxm.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7753.tmp
Filesize
1KB

MD5
fe39377304e5cc1e2a728f63dcf70c18

SHA1
eb8f20badfc04e38a872004d962133f379de9e69

SHA256
8edf7f6d800fb82f733370b6e9583b304b05cef4dbadd25113a5b1e74fb49388

SHA512
9d115783d530666e4c0c7887beb507158c8a0f3e3b76cde9cf84be6cd0d747dd30e8269136d0960e9495b493f71fabb93eed6bc8bc57dae40c7362007ff89b77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF609.tmp
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF62E.tmp
Filesize
100KB

MD5
bfbf67a3ad4b5c0f7804f85d1f449a80

SHA1
110780a35d61de23b5fcb7b9e75a3ed07deb7838

SHA256
2a38ab429847061aa3c614982e801e2e7139977a227466ce5ee61fa382a2bc2e

SHA512
77bd3011b5d0074af16b93a5ab1967379a0a032bbf43c1e7b6ef205aeb27454e079c94e419bea6f7d730dc84b632e44250203a508fcdcd864ada9888381f4fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF669.tmp
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF67F.tmp
Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF695.tmp
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF6CF.tmp
Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
memory/644-7-0x0000000005E60000-0x0000000005E70000-memory.dmp

Filesize
64KB

Download
memory/644-9-0x000000000AB30000-0x000000000ABCC000-memory.dmp

Filesize
624KB

Download
memory/644-8-0x0000000006C50000-0x0000000006CAA000-memory.dmp

Filesize
360KB

Download
memory/644-0-0x000000007465E000-0x000000007465F000-memory.dmp

Filesize
4KB

Download
memory/644-6-0x00000000084D0000-0x00000000084EA000-memory.dmp

Filesize
104KB

Download
memory/644-46-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/644-5-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/644-4-0x00000000057C0000-0x00000000057CA000-memory.dmp

Filesize
40KB

Download
memory/644-3-0x00000000057D0000-0x0000000005862000-memory.dmp

Filesize
584KB

Download
memory/644-2-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/644-1-0x0000000000D40000-0x0000000000DC8000-memory.dmp

Filesize
544KB

Download
memory/980-62-0x000000006F070000-0x000000006F0BC000-memory.dmp

Filesize
304KB

Download
memory/980-75-0x0000000007BA0000-0x0000000007BAE000-memory.dmp

Filesize
56KB

Download
memory/1560-183-0x0000000008E50000-0x0000000008E5E000-memory.dmp

Filesize
56KB

Download
memory/1560-209-0x000000000C4D0000-0x000000000C4E4000-memory.dmp

Filesize
80KB

Download
memory/1560-367-0x000000000B880000-0x000000000B89E000-memory.dmp

Filesize
120KB

Download
memory/1560-366-0x000000000BC70000-0x000000000BCE6000-memory.dmp

Filesize
472KB

Download
memory/1560-211-0x000000000C800000-0x000000000CD2C000-memory.dmp

Filesize
5.2MB

Download
memory/1560-210-0x000000000BAA0000-0x000000000BC62000-memory.dmp

Filesize
1.8MB

Download
memory/1560-208-0x000000000C4A0000-0x000000000C4B1000-memory.dmp

Filesize
68KB

Download
memory/1560-207-0x000000000C3A0000-0x000000000C443000-memory.dmp

Filesize
652KB

Download
memory/1560-197-0x000000000A9A0000-0x000000000ACF4000-memory.dmp

Filesize
3.3MB

Download
memory/1560-196-0x000000000A890000-0x000000000A99A000-memory.dmp

Filesize
1.0MB

Download
memory/1560-195-0x0000000009F30000-0x0000000009F7A000-memory.dmp

Filesize
296KB

Download
memory/1560-194-0x0000000009DD0000-0x0000000009DF2000-memory.dmp

Filesize
136KB

Download
memory/1560-184-0x0000000009240000-0x000000000928C000-memory.dmp

Filesize
304KB

Download
memory/1560-182-0x0000000009030000-0x000000000906C000-memory.dmp

Filesize
240KB

Download
memory/1560-181-0x0000000008E90000-0x0000000008EA2000-memory.dmp

Filesize
72KB

Download
memory/1560-180-0x0000000009400000-0x0000000009A18000-memory.dmp

Filesize
6.1MB

Download
memory/1560-179-0x0000000007680000-0x000000000769E000-memory.dmp

Filesize
120KB

Download
memory/1560-44-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1992-22-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/1992-21-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/1992-47-0x0000000006A80000-0x0000000006AB2000-memory.dmp

Filesize
200KB

Download
memory/1992-10-0x0000000004520000-0x0000000004556000-memory.dmp

Filesize
216KB

Download
memory/1992-60-0x0000000007460000-0x0000000007ADA000-memory.dmp

Filesize
6.5MB

Download
memory/1992-12-0x0000000004D00000-0x0000000005328000-memory.dmp

Filesize
6.2MB

Download
memory/1992-58-0x0000000006AC0000-0x0000000006ADE000-memory.dmp

Filesize
120KB

Download
memory/1992-78-0x0000000007140000-0x0000000007148000-memory.dmp

Filesize
32KB

Download
memory/1992-11-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1992-77-0x0000000007160000-0x000000000717A000-memory.dmp

Filesize
104KB

Download
memory/1992-13-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1992-33-0x0000000005EF0000-0x0000000005F3C000-memory.dmp

Filesize
304KB

Download
memory/1992-73-0x00000000070A0000-0x0000000007136000-memory.dmp

Filesize
600KB

Download
memory/1992-74-0x0000000007020000-0x0000000007031000-memory.dmp

Filesize
68KB

Download
memory/1992-84-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1992-59-0x0000000006AE0000-0x0000000006B83000-memory.dmp

Filesize
652KB

Download
memory/1992-48-0x000000006F070000-0x000000006F0BC000-memory.dmp

Filesize
304KB

Download
memory/1992-14-0x0000000074650000-0x0000000074E00000-memory.dmp

Filesize
7.7MB

Download
memory/1992-15-0x0000000004C30000-0x0000000004C52000-memory.dmp

Filesize
136KB

Download
memory/1992-72-0x0000000006E90000-0x0000000006E9A000-memory.dmp

Filesize
40KB

Download
memory/1992-76-0x0000000007060000-0x0000000007074000-memory.dmp

Filesize
80KB

Download
memory/1992-61-0x0000000006E20000-0x0000000006E3A000-memory.dmp

Filesize
104KB

Download
memory/1992-32-0x0000000005AD0000-0x0000000005AEE000-memory.dmp

Filesize
120KB

Download
memory/1992-30-0x0000000005500000-0x0000000005854000-memory.dmp

Filesize
3.3MB

Download
memory/2196-164-0x000000006FC60000-0x000000006FCAC000-memory.dmp

Filesize
304KB

Download
memory/2928-107-0x00000000077D0000-0x0000000007873000-memory.dmp

Filesize
652KB

Download
memory/2928-109-0x0000000007B00000-0x0000000007B14000-memory.dmp

Filesize
80KB

Download
memory/2928-85-0x0000000005ED0000-0x0000000006224000-memory.dmp

Filesize
3.3MB

Download
memory/2928-96-0x00000000068D0000-0x000000000691C000-memory.dmp

Filesize
304KB

Download
memory/2928-97-0x000000006FC60000-0x000000006FCAC000-memory.dmp

Filesize
304KB

Download
memory/2928-108-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

Filesize
68KB

Download
memory/3752-121-0x000000006FC60000-0x000000006FCAC000-memory.dmp

Filesize
304KB

Download
memory/4208-141-0x00000000058F0000-0x0000000005C44000-memory.dmp

Filesize
3.3MB

Download
memory/4208-143-0x000000006FC60000-0x000000006FCAC000-memory.dmp

Filesize
304KB

Download