Analysis Overview
SHA256
bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295
Threat Level: Known bad
The file bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295 was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Credentials from Password Stores: Credentials from Web Browsers
Checks computer location settings
Reads user/profile data of web browsers
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates processes with tasklist
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-29 14:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-29 14:41
Reported
2024-08-29 14:44
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
128s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\VotingApps | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\TherebyJoke | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\BlahAdobe | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\AspResistance | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\OvenJa | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\MrnaMatches | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe
"C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Heritage Heritage.bat & Heritage.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 651690
C:\Windows\SysWOW64\findstr.exe
findstr /V "HampshireRangesScholarsPodcasts" Exhibit
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Llp + ..\Powerful + ..\Dude + ..\Slightly + ..\Sources + ..\Vagina p
C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif
Sister.pif p
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4180,i,3210801877307184477,8078594481454001567,262144 --variations-seed-version --mojo-platform-channel-handle=4612 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kKUNXsFvNT.kKUNXsFvNT | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 147.45.47.251:2149 | tcp | |
| US | 8.8.8.8:53 | 251.47.45.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Heritage
| MD5 | ee3a7efb4d01bb1b04e4c9ccb333c044 |
| SHA1 | 93d69dc0b27d0334176e60babe362d7cacb3369f |
| SHA256 | 71f4148c94bb24a35ac080121a3bcd09ad45007b19d0235296385694703de26b |
| SHA512 | b31a29cab9d03baec7387d1aba0176ddada3ad35be9497fc2df178f45c566c67fbeaff74e3648214362f8fabf6c1edc48536f5005e7ca6e2ef999574b09b0f52 |
C:\Users\Admin\AppData\Local\Temp\Exhibit
| MD5 | 5afc7229caf4095825dbf15befd37493 |
| SHA1 | ba1096e7690b22c55b6afdea14b9eafd14af7097 |
| SHA256 | e7cbd4083aacfe6fa4d5c45c6d6e621417aa11860abc41478d56ae6248d8a0b1 |
| SHA512 | 73202a3faf248a73b62c88746c5785effcdf30564b4afd2c4e9a3c6a24cf08b55e4a6fd35339c2a258981013dd0343cd62f64d247fd3180bd0b79ffc646e97fb |
C:\Users\Admin\AppData\Local\Temp\Papua
| MD5 | 8db77745f37a0a067728d621603c7cae |
| SHA1 | e3a1bf4c37d10434642c31c0435da28f7ee30de3 |
| SHA256 | 1335802132d3a38d17319ac6a5d3662820c30a50ed75a5d094cff5e1ccde687f |
| SHA512 | bedfec2197d9d22eb692f34413af1f37b3cb057a1d2929d2835d0d4e24103d101178370b2717dbdb38fa6c5d125698ac4f74fd934bf6dbe35a3ae1a9eb75f607 |
C:\Users\Admin\AppData\Local\Temp\Llp
| MD5 | b1be05ed7b57f24b0004276747520e23 |
| SHA1 | 8f41ad51eef21727562136de08afecbdf51e1635 |
| SHA256 | dc71aa99d951b08ea1c0f886d0146d5ab1a4c031aeb692cb6b7ea92da80b2c38 |
| SHA512 | 8747326a12820c04d4f268b063e11a84e71be47b9750ad0a8cb0325f24c0ad386d385d5d0a7ce4e81f984523dfaa6e9f26bc2e8bd226310974084e4d581dcfce |
C:\Users\Admin\AppData\Local\Temp\Powerful
| MD5 | fc73c25541cfa8ac7a46fccb525f0cfd |
| SHA1 | f83352a81f0f14546365f4c18d155233f4584d14 |
| SHA256 | 0a887aa261cbdab920c9fb983f20906a046115c1c40e2bb986823ae4ef4aa408 |
| SHA512 | 29bd51b706fcb7d075d85550926a33ba70269570b052c3d34297bd06ac652b1dc95c174e1e860df97df47171aef9ac3e8f552129e74690d4450e662e881b6cbd |
C:\Users\Admin\AppData\Local\Temp\Dude
| MD5 | fb6f9a5933fa68a15184363dd5f74446 |
| SHA1 | fa310d04bdcb2578a5853bcd6cd24c5516ec93c6 |
| SHA256 | c10e2d896a120a8639b63836cb6f8d1229b9b3a063048d523aec908dbe89d928 |
| SHA512 | 867fef1eac107b757e11df16c8c56347ae53f6d646a32f82ef7bae6f2479f168404affb4fcc3e462d234c6344e5b13e0d04482c59f5ffe810396e1b67634e3b4 |
C:\Users\Admin\AppData\Local\Temp\Slightly
| MD5 | 3a90362515761941660fbb96219f9fe0 |
| SHA1 | 8c4386f0bb80eff84a96cc25eaa85f2dfd121679 |
| SHA256 | c942fb8755a8f61585f06af8ce2b1e9fcf8d88d45d6c80dff7f523c24bfb543e |
| SHA512 | f4d165ce35a349332d6f5b68976a0735b90648f89c27f14bbabe3562c82ae233849886dff663e22d5a10440bcde8672cfb095ea7dac235bec9fca6aca22744d5 |
C:\Users\Admin\AppData\Local\Temp\Vagina
| MD5 | 621679ec67ab5447a864ab80778de8ec |
| SHA1 | 288314f4e5ad902006af71971b75106c8e0bd6a8 |
| SHA256 | 4f332881e0e1ab18279f0dbaddab9650c473ce42b0ffdceff9ae3e27923d1e87 |
| SHA512 | cf5394137a4fdb1de5a7fc014a743220c93ff850c5cddb99c432b6b0a9393cb33bb9d178c2d6e13c58211f456240b4b3ae6a123a2bb68ce62ec96aa99109215b |
C:\Users\Admin\AppData\Local\Temp\Sources
| MD5 | 470f19f312808e9d98a35a5343cb25a8 |
| SHA1 | 50c4f2d1bfc53cbd2b4fa02bb156a5199aa85b3a |
| SHA256 | 8e0099e0b1d1a05f78099ebad128c0440bf0f469e21510e6996e8b497af36e3f |
| SHA512 | 1489d7bdb0ad32334bed050415062b340f79ecb8fb775f697d875300c7fc501e56162d547295d2f82fe4c6cf3a0a92c97e5f49bbeeaba58000636db970bd9cf0 |
C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\651690\p
| MD5 | 9a24d4882c1d58ce2448fdae562666d4 |
| SHA1 | 9d0565a9b786ab57844edd419459115aac35bde0 |
| SHA256 | 7f33004e6d85eb4e355e98c93c6765cdf62572bcda24126a2758d8b8d9021c2f |
| SHA512 | cd724a70b30103968830c89f935345eede1bf42ff454f65608c1799c72f35fb6e34cfa102d3a793d79370ab82e2a8f17ee6056c1248c406d5c620c35888828ab |
memory/1848-27-0x0000000000B00000-0x0000000000B52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/1848-30-0x00000000055B0000-0x0000000005B54000-memory.dmp
memory/1848-31-0x00000000050A0000-0x0000000005132000-memory.dmp
memory/1848-32-0x0000000005060000-0x000000000506A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpC649.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/1848-49-0x0000000005CE0000-0x0000000005D56000-memory.dmp
memory/1848-50-0x0000000006340000-0x000000000635E000-memory.dmp
memory/1848-53-0x0000000006A80000-0x0000000007098000-memory.dmp
memory/1848-54-0x00000000065D0000-0x00000000066DA000-memory.dmp
memory/1848-55-0x0000000006510000-0x0000000006522000-memory.dmp
memory/1848-56-0x0000000006570000-0x00000000065AC000-memory.dmp
memory/1848-57-0x00000000066E0000-0x000000000672C000-memory.dmp
memory/1848-58-0x0000000006820000-0x0000000006886000-memory.dmp
memory/1848-61-0x0000000008320000-0x00000000084E2000-memory.dmp
memory/1848-62-0x0000000008A20000-0x0000000008F4C000-memory.dmp
memory/1848-63-0x0000000008200000-0x0000000008250000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-29 14:41
Reported
2024-08-29 14:44
Platform
win11-20240802-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Credentials from Password Stores: Credentials from Web Browsers
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\BlahAdobe | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\AspResistance | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\OvenJa | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\MrnaMatches | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\VotingApps | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\TherebyJoke | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe
"C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Heritage Heritage.bat & Heritage.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 651690
C:\Windows\SysWOW64\findstr.exe
findstr /V "HampshireRangesScholarsPodcasts" Exhibit
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Llp + ..\Powerful + ..\Dude + ..\Slightly + ..\Sources + ..\Vagina p
C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif
Sister.pif p
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 147.45.47.251:2149 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Heritage
| MD5 | ee3a7efb4d01bb1b04e4c9ccb333c044 |
| SHA1 | 93d69dc0b27d0334176e60babe362d7cacb3369f |
| SHA256 | 71f4148c94bb24a35ac080121a3bcd09ad45007b19d0235296385694703de26b |
| SHA512 | b31a29cab9d03baec7387d1aba0176ddada3ad35be9497fc2df178f45c566c67fbeaff74e3648214362f8fabf6c1edc48536f5005e7ca6e2ef999574b09b0f52 |
C:\Users\Admin\AppData\Local\Temp\Exhibit
| MD5 | 5afc7229caf4095825dbf15befd37493 |
| SHA1 | ba1096e7690b22c55b6afdea14b9eafd14af7097 |
| SHA256 | e7cbd4083aacfe6fa4d5c45c6d6e621417aa11860abc41478d56ae6248d8a0b1 |
| SHA512 | 73202a3faf248a73b62c88746c5785effcdf30564b4afd2c4e9a3c6a24cf08b55e4a6fd35339c2a258981013dd0343cd62f64d247fd3180bd0b79ffc646e97fb |
C:\Users\Admin\AppData\Local\Temp\Papua
| MD5 | 8db77745f37a0a067728d621603c7cae |
| SHA1 | e3a1bf4c37d10434642c31c0435da28f7ee30de3 |
| SHA256 | 1335802132d3a38d17319ac6a5d3662820c30a50ed75a5d094cff5e1ccde687f |
| SHA512 | bedfec2197d9d22eb692f34413af1f37b3cb057a1d2929d2835d0d4e24103d101178370b2717dbdb38fa6c5d125698ac4f74fd934bf6dbe35a3ae1a9eb75f607 |
C:\Users\Admin\AppData\Local\Temp\Llp
| MD5 | b1be05ed7b57f24b0004276747520e23 |
| SHA1 | 8f41ad51eef21727562136de08afecbdf51e1635 |
| SHA256 | dc71aa99d951b08ea1c0f886d0146d5ab1a4c031aeb692cb6b7ea92da80b2c38 |
| SHA512 | 8747326a12820c04d4f268b063e11a84e71be47b9750ad0a8cb0325f24c0ad386d385d5d0a7ce4e81f984523dfaa6e9f26bc2e8bd226310974084e4d581dcfce |
C:\Users\Admin\AppData\Local\Temp\Powerful
| MD5 | fc73c25541cfa8ac7a46fccb525f0cfd |
| SHA1 | f83352a81f0f14546365f4c18d155233f4584d14 |
| SHA256 | 0a887aa261cbdab920c9fb983f20906a046115c1c40e2bb986823ae4ef4aa408 |
| SHA512 | 29bd51b706fcb7d075d85550926a33ba70269570b052c3d34297bd06ac652b1dc95c174e1e860df97df47171aef9ac3e8f552129e74690d4450e662e881b6cbd |
C:\Users\Admin\AppData\Local\Temp\Dude
| MD5 | fb6f9a5933fa68a15184363dd5f74446 |
| SHA1 | fa310d04bdcb2578a5853bcd6cd24c5516ec93c6 |
| SHA256 | c10e2d896a120a8639b63836cb6f8d1229b9b3a063048d523aec908dbe89d928 |
| SHA512 | 867fef1eac107b757e11df16c8c56347ae53f6d646a32f82ef7bae6f2479f168404affb4fcc3e462d234c6344e5b13e0d04482c59f5ffe810396e1b67634e3b4 |
C:\Users\Admin\AppData\Local\Temp\Slightly
| MD5 | 3a90362515761941660fbb96219f9fe0 |
| SHA1 | 8c4386f0bb80eff84a96cc25eaa85f2dfd121679 |
| SHA256 | c942fb8755a8f61585f06af8ce2b1e9fcf8d88d45d6c80dff7f523c24bfb543e |
| SHA512 | f4d165ce35a349332d6f5b68976a0735b90648f89c27f14bbabe3562c82ae233849886dff663e22d5a10440bcde8672cfb095ea7dac235bec9fca6aca22744d5 |
C:\Users\Admin\AppData\Local\Temp\Sources
| MD5 | 470f19f312808e9d98a35a5343cb25a8 |
| SHA1 | 50c4f2d1bfc53cbd2b4fa02bb156a5199aa85b3a |
| SHA256 | 8e0099e0b1d1a05f78099ebad128c0440bf0f469e21510e6996e8b497af36e3f |
| SHA512 | 1489d7bdb0ad32334bed050415062b340f79ecb8fb775f697d875300c7fc501e56162d547295d2f82fe4c6cf3a0a92c97e5f49bbeeaba58000636db970bd9cf0 |
C:\Users\Admin\AppData\Local\Temp\Vagina
| MD5 | 621679ec67ab5447a864ab80778de8ec |
| SHA1 | 288314f4e5ad902006af71971b75106c8e0bd6a8 |
| SHA256 | 4f332881e0e1ab18279f0dbaddab9650c473ce42b0ffdceff9ae3e27923d1e87 |
| SHA512 | cf5394137a4fdb1de5a7fc014a743220c93ff850c5cddb99c432b6b0a9393cb33bb9d178c2d6e13c58211f456240b4b3ae6a123a2bb68ce62ec96aa99109215b |
C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\651690\p
| MD5 | 9a24d4882c1d58ce2448fdae562666d4 |
| SHA1 | 9d0565a9b786ab57844edd419459115aac35bde0 |
| SHA256 | 7f33004e6d85eb4e355e98c93c6765cdf62572bcda24126a2758d8b8d9021c2f |
| SHA512 | cd724a70b30103968830c89f935345eede1bf42ff454f65608c1799c72f35fb6e34cfa102d3a793d79370ab82e2a8f17ee6056c1248c406d5c620c35888828ab |
memory/4944-27-0x0000000000800000-0x0000000000852000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
| MD5 | 42ab6e035df99a43dbb879c86b620b91 |
| SHA1 | c6e116569d17d8142dbb217b1f8bfa95bc148c38 |
| SHA256 | 53195987d396986ebcb20425ac130e78ad308fdbd918f33f3fd92b99abda314b |
| SHA512 | 2e79de2d394ad33023d71611bb728b254aa4680b5a3a1ef5282b1155ddfaa2f3585c840a6700dfe0d1a276dac801298431f0187086d2e8f96b22f6c808fb97e5 |
memory/4944-30-0x0000000005460000-0x0000000005A06000-memory.dmp
memory/4944-31-0x0000000004F50000-0x0000000004FE2000-memory.dmp
memory/4944-32-0x00000000050F0000-0x00000000050FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp2352.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/4944-47-0x0000000005A90000-0x0000000005B06000-memory.dmp
memory/4944-48-0x0000000006140000-0x000000000615E000-memory.dmp
memory/4944-51-0x0000000006880000-0x0000000006E98000-memory.dmp
memory/4944-52-0x00000000063D0000-0x00000000064DA000-memory.dmp
memory/4944-53-0x0000000006310000-0x0000000006322000-memory.dmp
memory/4944-54-0x0000000006370000-0x00000000063AC000-memory.dmp
memory/4944-55-0x00000000064E0000-0x000000000652C000-memory.dmp
memory/4944-56-0x0000000006620000-0x0000000006686000-memory.dmp
memory/4944-59-0x0000000007250000-0x00000000072A0000-memory.dmp
memory/4944-60-0x00000000075B0000-0x0000000007772000-memory.dmp
memory/4944-61-0x00000000080A0000-0x00000000085CC000-memory.dmp