redline | 5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 01:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
Size

12.5MB
MD5

3ba515e7df4c8918a967f4043cd8c72b
SHA1

3659a765f502297fb92a9d14b08e5b8d91bc8603
SHA256

5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482
SHA512

010d639a231724425e791afccc7fabacd9b20269665706434c28eba6192af5b424a792755ff1503c0e0afcdd05c5b470d59f57f706f843157c42212e0bb40d8c
SSDEEP

393216:Y9XWBQ/bXZmSUGkVAqYwm9MlpcghwvWLT0Z:Y9GBmZkVAqYweMbIWfo

Score

10^/10

redline sectoprat xmrig mergedall telegramone evasion execution infostealer miner persistence pyinstaller rat trojan upx

Malware Config

Extracted

Family

redline

Botnet

MergedALL

51.195.206.227:38719

Extracted

Family

redline

Botnet

telegramone

163.5.160.27:51523

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\mergedALL.exe	family_redline
\Users\Admin\AppData\Local\Temp\fix.exe	family_redline
behavioral1/memory/3048-56-0x0000000001300000-0x0000000001350000-memory.dmp	family_redline
behavioral1/memory/2692-55-0x0000000000890000-0x00000000008AE000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\fix.exe	family_sectoprat
behavioral1/memory/2692-55-0x0000000000890000-0x00000000008AE000-memory.dmp	family_sectoprat

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/536-100-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/536-101-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/536-104-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/536-106-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/536-103-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/536-107-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/536-105-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/536-129-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

1968 powershell.exe
2952 powershell.exe
2988 powershell.exe
2176 powershell.exe
2468 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 10 IoCs

Processes:

hamburger.exeNotepad.exemergedALL.exeetc test.exefix.exeNotepad.exetubpxzvwmyfr.exeesfowblknspo.exe

pid process

2856 hamburger.exe
2708 Notepad.exe
3048 mergedALL.exe
2784 etc test.exe
2692 fix.exe
1564 Notepad.exe
1188
472
3060 tubpxzvwmyfr.exe
1508 esfowblknspo.exe

pid	process
1968	powershell.exe
2952	powershell.exe
2988	powershell.exe
2176	powershell.exe
2468	powershell.exe

pid	process
2856	hamburger.exe
2708	Notepad.exe
3048	mergedALL.exe
2784	etc test.exe
2692	fix.exe
1564	Notepad.exe
1188
472
3060	tubpxzvwmyfr.exe
1508	esfowblknspo.exe

Loads dropped DLL 13 IoCs

Processes:

5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exeNotepad.exeNotepad.exe

pid	process
492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
2708	Notepad.exe
1564	Notepad.exe
1188
472
472
472

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/536-98-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-97-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-95-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-100-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-99-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-96-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-101-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-104-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-106-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-103-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-107-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-105-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/536-129-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in System32 directory 8 IoCs

Processes:

etc test.exepowershell.exeesfowblknspo.exepowershell.exehamburger.exepowershell.exetubpxzvwmyfr.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	etc test.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	esfowblknspo.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	hamburger.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	tubpxzvwmyfr.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tubpxzvwmyfr.exeesfowblknspo.exe

description	pid	process	target process
PID 3060 set thread context of 2884	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 set thread context of 536	3060	tubpxzvwmyfr.exe	conhost.exe
PID 1508 set thread context of 2984	1508	esfowblknspo.exe	conhost.exe

Drops file in Windows directory 4 IoCs

Processes:

wusa.exewusa.exewusa.exewusa.exe

description	ioc	process
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe
File created	C:\Windows\wusa.lock	wusa.exe

Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

2312 sc.exe
2596 sc.exe
1876 sc.exe
2372 sc.exe
708 sc.exe
3016 sc.exe
1592 sc.exe
1804 sc.exe

pid	process
2312	sc.exe
2596	sc.exe
1876	sc.exe
2372	sc.exe
708	sc.exe
3016	sc.exe
1592	sc.exe
1804	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\Notepad.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 60e2f53e54cbda01	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exehamburger.exeetc test.exepowershell.exetubpxzvwmyfr.exepowershell.execonhost.exepowershell.exeesfowblknspo.exepowershell.exe

pid	process
2468	powershell.exe
2856	hamburger.exe
2784	etc test.exe
2176	powershell.exe
2856	hamburger.exe
2856	hamburger.exe
2856	hamburger.exe
2856	hamburger.exe
2856	hamburger.exe
3060	tubpxzvwmyfr.exe
2952	powershell.exe
3060	tubpxzvwmyfr.exe
3060	tubpxzvwmyfr.exe
3060	tubpxzvwmyfr.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
1968	powershell.exe
536	conhost.exe
2784	etc test.exe
2784	etc test.exe
2784	etc test.exe
2784	etc test.exe
2784	etc test.exe
1508	esfowblknspo.exe
2988	powershell.exe
1508	esfowblknspo.exe
1508	esfowblknspo.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe
536	conhost.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exefix.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2692	fix.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeLockMemoryPrivilege	536	conhost.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exeNotepad.execmd.exetubpxzvwmyfr.execmd.execmd.exeesfowblknspo.execmd.exe

description	pid	process	target process
PID 492 wrote to memory of 2468	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	powershell.exe
PID 492 wrote to memory of 2468	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	powershell.exe
PID 492 wrote to memory of 2468	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	powershell.exe
PID 492 wrote to memory of 2468	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	powershell.exe
PID 492 wrote to memory of 2856	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	hamburger.exe
PID 492 wrote to memory of 2856	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	hamburger.exe
PID 492 wrote to memory of 2856	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	hamburger.exe
PID 492 wrote to memory of 2856	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	hamburger.exe
PID 492 wrote to memory of 2708	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	Notepad.exe
PID 492 wrote to memory of 2708	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	Notepad.exe
PID 492 wrote to memory of 2708	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	Notepad.exe
PID 492 wrote to memory of 2708	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	Notepad.exe
PID 492 wrote to memory of 3048	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	mergedALL.exe
PID 492 wrote to memory of 3048	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	mergedALL.exe
PID 492 wrote to memory of 3048	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	mergedALL.exe
PID 492 wrote to memory of 3048	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	mergedALL.exe
PID 492 wrote to memory of 2784	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	etc test.exe
PID 492 wrote to memory of 2784	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	etc test.exe
PID 492 wrote to memory of 2784	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	etc test.exe
PID 492 wrote to memory of 2784	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	etc test.exe
PID 492 wrote to memory of 2692	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	fix.exe
PID 492 wrote to memory of 2692	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	fix.exe
PID 492 wrote to memory of 2692	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	fix.exe
PID 492 wrote to memory of 2692	492	5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe	fix.exe
PID 2708 wrote to memory of 1564	2708	Notepad.exe	Notepad.exe
PID 2708 wrote to memory of 1564	2708	Notepad.exe	Notepad.exe
PID 2708 wrote to memory of 1564	2708	Notepad.exe	Notepad.exe
PID 2204 wrote to memory of 1224	2204	cmd.exe	wusa.exe
PID 2204 wrote to memory of 1224	2204	cmd.exe	wusa.exe
PID 2204 wrote to memory of 1224	2204	cmd.exe	wusa.exe
PID 3060 wrote to memory of 2884	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 2884	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 2884	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 2884	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 2884	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 2884	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 2884	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 2884	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 2884	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 536	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 536	3060	tubpxzvwmyfr.exe	conhost.exe
PID 1744 wrote to memory of 264	1744	cmd.exe	wusa.exe
PID 1744 wrote to memory of 264	1744	cmd.exe	wusa.exe
PID 1744 wrote to memory of 264	1744	cmd.exe	wusa.exe
PID 3060 wrote to memory of 536	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 536	3060	tubpxzvwmyfr.exe	conhost.exe
PID 3060 wrote to memory of 536	3060	tubpxzvwmyfr.exe	conhost.exe
PID 1284 wrote to memory of 888	1284	cmd.exe	wusa.exe
PID 1284 wrote to memory of 888	1284	cmd.exe	wusa.exe
PID 1284 wrote to memory of 888	1284	cmd.exe	wusa.exe
PID 1508 wrote to memory of 2984	1508	esfowblknspo.exe	conhost.exe
PID 1508 wrote to memory of 2984	1508	esfowblknspo.exe	conhost.exe
PID 1508 wrote to memory of 2984	1508	esfowblknspo.exe	conhost.exe
PID 1508 wrote to memory of 2984	1508	esfowblknspo.exe	conhost.exe
PID 1508 wrote to memory of 2984	1508	esfowblknspo.exe	conhost.exe
PID 1508 wrote to memory of 2984	1508	esfowblknspo.exe	conhost.exe
PID 1508 wrote to memory of 2984	1508	esfowblknspo.exe	conhost.exe
PID 1508 wrote to memory of 2984	1508	esfowblknspo.exe	conhost.exe
PID 1508 wrote to memory of 2984	1508	esfowblknspo.exe	conhost.exe
PID 992 wrote to memory of 2936	992	cmd.exe	wusa.exe
PID 992 wrote to memory of 2936	992	cmd.exe	wusa.exe
PID 992 wrote to memory of 2936	992	cmd.exe	wusa.exe

C:\Users\Admin\AppData\Local\Temp\5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe
"C:\Users\Admin\AppData\Local\Temp\5234a3b9c46390f23a13c401cd294dadc63944ed57a19b26ff4e7211442e0482.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQByACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAHMAYgBtACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGgAegBiACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGQAagBuACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Users\Admin\AppData\Local\Temp\hamburger.exe
"C:\Users\Admin\AppData\Local\Temp\hamburger.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:1224

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "UPFRTHSI"
3⤵
- Launches sc.exe
PID:1804

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "UPFRTHSI" binpath= "C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2312

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1876

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "UPFRTHSI"
3⤵
- Launches sc.exe
PID:2596

C:\Users\Admin\AppData\Local\Temp\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708

C:\Users\Admin\AppData\Local\Temp\Notepad.exe
"C:\Users\Admin\AppData\Local\Temp\Notepad.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564

C:\Users\Admin\AppData\Local\Temp\mergedALL.exe
"C:\Users\Admin\AppData\Local\Temp\mergedALL.exe"
2⤵
- Executes dropped EXE
PID:3048

C:\Users\Admin\AppData\Local\Temp\etc test.exe
"C:\Users\Admin\AppData\Local\Temp\etc test.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2784

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
- Drops file in Windows directory
PID:888

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBKZWAPS"
3⤵
- Launches sc.exe
PID:708

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBKZWAPS" binpath= "C:\ProgramData\rstywrmdprzs\esfowblknspo.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2372

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1592

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBKZWAPS"
3⤵
- Launches sc.exe
PID:3016

C:\Users\Admin\AppData\Local\Temp\fix.exe
"C:\Users\Admin\AppData\Local\Temp\fix.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe
C:\ProgramData\pehgyntafdrm\tubpxzvwmyfr.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3060

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:264

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2884

C:\Windows\system32\conhost.exe
conhost.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\ProgramData\rstywrmdprzs\esfowblknspo.exe
C:\ProgramData\rstywrmdprzs\esfowblknspo.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Drops file in Windows directory
PID:2936

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27082\python312.dll

Filesize
6.7MB

MD5
550288a078dffc3430c08da888e70810

SHA1
01b1d31f37fb3fd81d893cc5e4a258e976f5884f

SHA256
789a42ac160cef98f8925cb347473eeeb4e70f5513242e7faba5139ba06edf2d

SHA512
7244432fc3716f7ef27630d4e8fbc8180a2542aa97a01d44dca260ab43966dd8ac98b6023400b0478a4809aace1a128f1f4d6e544f2e591a5b436fd4c8a9d723

Download Submit
C:\Users\Admin\AppData\Local\Temp\etc test.exe

Filesize
2.5MB

MD5
e4e8f85ee773cd79bd76dd7798baf957

SHA1
112f53467d2946f2bcf4c55bb4177f25120cda13

SHA256
a0a9aa62080c1a543e11e5853fcd6964e598b59a0a7c24de7a7f1d951177e564

SHA512
99a1dd206181ef20c572a1a1ed9354cc2f70424a4493cd2e67648b54483f90e0bf291764e4731943c6ed73ab872b3fa8410c0368295d5a025330792a17f19dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\hamburger.exe

Filesize
2.5MB

MD5
09af9e57d30e6929c115811dfa9c3b7e

SHA1
caf9281f7001f92524005c60a34f33543315df52

SHA256
3b031ddbb05570ca3ffefa93abbd1cb2891897a34ea9b4a29612858b66a146f2

SHA512
023849985162db69160f559002586dbdb4148747f13fa1ff617e75b0f972c778f9f3d6a033dd3fb429d78aa3c20b264d83dc44274d6c0743a3ed1cf88fb045f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mergedALL.exe

Filesize
297KB

MD5
2359b2a186e08a38296305861dea4231

SHA1
41716e2710daaebba6f03d009064a149da90c526

SHA256
f36f4c7bfb509bcfc5cdfb6eb28149bfca1b6ab3eb001bf74ef1e35f5edce9d6

SHA512
6ebcb5f9c3b6d76c59221d1442d4c39cc7a1108ae7ef63f3173cff0fcb5356e622369d2925c0d1992aec3a2605641a69e44891c804d320cbe36e164705d19c54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PZ8F1XRFPF3EC2A6UP0W.temp

Filesize
7KB

MD5
461f90da60d8e959dac1efabf19c0056

SHA1
35a213899dccd177db2246d74c4d36b158ef4fa9

SHA256
6f1a0551df2f89e8d3fd81fc59abd38b331c187147a291755b9cce327da0e019

SHA512
881de06fde11ef1cbff0d8051ef90298effd696b33f4c41126e85982b17b79b5a567537b3e0e950b1c6a89815b6cfa56755586551781b27b45ee08cbf142186f

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\Notepad.exe

Filesize
7.0MB

MD5
150f7378fd18d19ecc002761fa112de5

SHA1
a5ef247183d14dcd0d9b112306c1965c38720a1e

SHA256
b3bfd7d408a13096897fe8cbaff158cb8ff34f6d2d2269b25a1a268daeef387c

SHA512
dd3739f3e7736c6d6319dbf71346addfdab60d668c84b91d9c87bdf5ee7c6ea085b49a314c52338cb196cceb212067fdbf804da91d9f517a34e1b0978ceebb6d

Download Submit
\Users\Admin\AppData\Local\Temp\fix.exe

Filesize
95KB

MD5
1f327a277466f1bb04aa5cfcd279c0f7

SHA1
9bcb7bbac28992b9c7c35ba0573dce7db32ca18f

SHA256
e8432406bc918c6ce0d245a3bc5bb8c021b218593f94b5d09ebcda7e549f1fc0

SHA512
82c750475dc42d974c3fd33a4329bce7e99a5c15bf88fe4e802627b321b6c91f78e8be4b82e72380ee34c4de407878d17b18af26d7f5667104fdc55020f68a9d

Download Submit
memory/536-107-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-95-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-104-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-129-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-106-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-105-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-103-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-98-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-97-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-101-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-100-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-102-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/536-99-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/536-96-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1968-113-0x000000001B3F0000-0x000000001B6D2000-memory.dmp

Filesize
2.9MB

Download
memory/2176-78-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2176-77-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2692-55-0x0000000000890000-0x00000000008AE000-memory.dmp

Filesize
120KB

Download
memory/2884-86-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2884-87-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2884-88-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2884-93-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2884-89-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2884-90-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2952-85-0x0000000000840000-0x0000000000848000-memory.dmp

Filesize
32KB

Download
memory/2952-84-0x0000000019FC0000-0x000000001A2A2000-memory.dmp

Filesize
2.9MB

Download
memory/2984-124-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2984-125-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2984-123-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2984-122-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2984-127-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2984-121-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/2988-120-0x0000000000990000-0x0000000000998000-memory.dmp

Filesize
32KB

Download
memory/3048-56-0x0000000001300000-0x0000000001350000-memory.dmp

Filesize
320KB

Download