Analysis Overview
SHA256
df0dc53bc12e9886219c5b4a7f5545c388a124969ca02aaaed58a0c882ce3a67
Threat Level: Known bad
The file abb713cf90e8345c0b6b79345cbdc9d6.bin was found to be: Known bad.
Malicious Activity Summary
RedLine
RedLine payload
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Enumerates processes with tasklist
Drops file in Windows directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-31 01:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-31 01:40
Reported
2024-08-31 01:43
Platform
win7-20240708-en
Max time kernel
131s
Max time network
142s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\TherebyJoke | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\BlahAdobe | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\AspResistance | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\OvenJa | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\MrnaMatches | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\VotingApps | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe
"C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Heritage Heritage.bat & Heritage.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 651690
C:\Windows\SysWOW64\findstr.exe
findstr /V "HampshireRangesScholarsPodcasts" Exhibit
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Llp + ..\Powerful + ..\Dude + ..\Slightly + ..\Sources + ..\Vagina p
C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif
Sister.pif p
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | kKUNXsFvNT.kKUNXsFvNT | udp |
| DE | 147.45.47.251:2149 | tcp | |
| DE | 147.45.47.251:2149 | tcp | |
| DE | 147.45.47.251:2149 | tcp | |
| DE | 147.45.47.251:2149 | tcp | |
| DE | 147.45.47.251:2149 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Heritage
| MD5 | ee3a7efb4d01bb1b04e4c9ccb333c044 |
| SHA1 | 93d69dc0b27d0334176e60babe362d7cacb3369f |
| SHA256 | 71f4148c94bb24a35ac080121a3bcd09ad45007b19d0235296385694703de26b |
| SHA512 | b31a29cab9d03baec7387d1aba0176ddada3ad35be9497fc2df178f45c566c67fbeaff74e3648214362f8fabf6c1edc48536f5005e7ca6e2ef999574b09b0f52 |
C:\Users\Admin\AppData\Local\Temp\Exhibit
| MD5 | 5afc7229caf4095825dbf15befd37493 |
| SHA1 | ba1096e7690b22c55b6afdea14b9eafd14af7097 |
| SHA256 | e7cbd4083aacfe6fa4d5c45c6d6e621417aa11860abc41478d56ae6248d8a0b1 |
| SHA512 | 73202a3faf248a73b62c88746c5785effcdf30564b4afd2c4e9a3c6a24cf08b55e4a6fd35339c2a258981013dd0343cd62f64d247fd3180bd0b79ffc646e97fb |
C:\Users\Admin\AppData\Local\Temp\Papua
| MD5 | 8db77745f37a0a067728d621603c7cae |
| SHA1 | e3a1bf4c37d10434642c31c0435da28f7ee30de3 |
| SHA256 | 1335802132d3a38d17319ac6a5d3662820c30a50ed75a5d094cff5e1ccde687f |
| SHA512 | bedfec2197d9d22eb692f34413af1f37b3cb057a1d2929d2835d0d4e24103d101178370b2717dbdb38fa6c5d125698ac4f74fd934bf6dbe35a3ae1a9eb75f607 |
C:\Users\Admin\AppData\Local\Temp\Llp
| MD5 | b1be05ed7b57f24b0004276747520e23 |
| SHA1 | 8f41ad51eef21727562136de08afecbdf51e1635 |
| SHA256 | dc71aa99d951b08ea1c0f886d0146d5ab1a4c031aeb692cb6b7ea92da80b2c38 |
| SHA512 | 8747326a12820c04d4f268b063e11a84e71be47b9750ad0a8cb0325f24c0ad386d385d5d0a7ce4e81f984523dfaa6e9f26bc2e8bd226310974084e4d581dcfce |
C:\Users\Admin\AppData\Local\Temp\Powerful
| MD5 | fc73c25541cfa8ac7a46fccb525f0cfd |
| SHA1 | f83352a81f0f14546365f4c18d155233f4584d14 |
| SHA256 | 0a887aa261cbdab920c9fb983f20906a046115c1c40e2bb986823ae4ef4aa408 |
| SHA512 | 29bd51b706fcb7d075d85550926a33ba70269570b052c3d34297bd06ac652b1dc95c174e1e860df97df47171aef9ac3e8f552129e74690d4450e662e881b6cbd |
C:\Users\Admin\AppData\Local\Temp\Dude
| MD5 | fb6f9a5933fa68a15184363dd5f74446 |
| SHA1 | fa310d04bdcb2578a5853bcd6cd24c5516ec93c6 |
| SHA256 | c10e2d896a120a8639b63836cb6f8d1229b9b3a063048d523aec908dbe89d928 |
| SHA512 | 867fef1eac107b757e11df16c8c56347ae53f6d646a32f82ef7bae6f2479f168404affb4fcc3e462d234c6344e5b13e0d04482c59f5ffe810396e1b67634e3b4 |
C:\Users\Admin\AppData\Local\Temp\Slightly
| MD5 | 3a90362515761941660fbb96219f9fe0 |
| SHA1 | 8c4386f0bb80eff84a96cc25eaa85f2dfd121679 |
| SHA256 | c942fb8755a8f61585f06af8ce2b1e9fcf8d88d45d6c80dff7f523c24bfb543e |
| SHA512 | f4d165ce35a349332d6f5b68976a0735b90648f89c27f14bbabe3562c82ae233849886dff663e22d5a10440bcde8672cfb095ea7dac235bec9fca6aca22744d5 |
C:\Users\Admin\AppData\Local\Temp\Sources
| MD5 | 470f19f312808e9d98a35a5343cb25a8 |
| SHA1 | 50c4f2d1bfc53cbd2b4fa02bb156a5199aa85b3a |
| SHA256 | 8e0099e0b1d1a05f78099ebad128c0440bf0f469e21510e6996e8b497af36e3f |
| SHA512 | 1489d7bdb0ad32334bed050415062b340f79ecb8fb775f697d875300c7fc501e56162d547295d2f82fe4c6cf3a0a92c97e5f49bbeeaba58000636db970bd9cf0 |
C:\Users\Admin\AppData\Local\Temp\Vagina
| MD5 | 621679ec67ab5447a864ab80778de8ec |
| SHA1 | 288314f4e5ad902006af71971b75106c8e0bd6a8 |
| SHA256 | 4f332881e0e1ab18279f0dbaddab9650c473ce42b0ffdceff9ae3e27923d1e87 |
| SHA512 | cf5394137a4fdb1de5a7fc014a743220c93ff850c5cddb99c432b6b0a9393cb33bb9d178c2d6e13c58211f456240b4b3ae6a123a2bb68ce62ec96aa99109215b |
\Users\Admin\AppData\Local\Temp\651690\Sister.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\651690\p
| MD5 | 9a24d4882c1d58ce2448fdae562666d4 |
| SHA1 | 9d0565a9b786ab57844edd419459115aac35bde0 |
| SHA256 | 7f33004e6d85eb4e355e98c93c6765cdf62572bcda24126a2758d8b8d9021c2f |
| SHA512 | cd724a70b30103968830c89f935345eede1bf42ff454f65608c1799c72f35fb6e34cfa102d3a793d79370ab82e2a8f17ee6056c1248c406d5c620c35888828ab |
\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/2864-31-0x00000000000D0000-0x0000000000122000-memory.dmp
memory/2864-33-0x00000000000D0000-0x0000000000122000-memory.dmp
memory/2864-34-0x00000000000D0000-0x0000000000122000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpF835.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-31 01:40
Reported
2024-08-31 01:43
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\TherebyJoke | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\BlahAdobe | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\AspResistance | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\OvenJa | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\MrnaMatches | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| File opened for modification | C:\Windows\VotingApps | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 | C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe
"C:\Users\Admin\AppData\Local\Temp\bfe19615479cff03ad963d8206c2e3e89ddafd30bb4978e27976295214d3f295.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k move Heritage Heritage.bat & Heritage.bat & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa opssvc"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui avgui bdservicehost nswscsvc sophoshealth"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 651690
C:\Windows\SysWOW64\findstr.exe
findstr /V "HampshireRangesScholarsPodcasts" Exhibit
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b ..\Llp + ..\Powerful + ..\Dude + ..\Slightly + ..\Sources + ..\Vagina p
C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif
Sister.pif p
C:\Windows\SysWOW64\choice.exe
choice /d y /t 5
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kKUNXsFvNT.kKUNXsFvNT | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 147.45.47.251:2149 | tcp | |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 147.45.47.251:2149 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 147.45.47.251:2149 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 147.45.47.251:2149 | tcp | |
| DE | 147.45.47.251:2149 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Heritage
| MD5 | ee3a7efb4d01bb1b04e4c9ccb333c044 |
| SHA1 | 93d69dc0b27d0334176e60babe362d7cacb3369f |
| SHA256 | 71f4148c94bb24a35ac080121a3bcd09ad45007b19d0235296385694703de26b |
| SHA512 | b31a29cab9d03baec7387d1aba0176ddada3ad35be9497fc2df178f45c566c67fbeaff74e3648214362f8fabf6c1edc48536f5005e7ca6e2ef999574b09b0f52 |
C:\Users\Admin\AppData\Local\Temp\Exhibit
| MD5 | 5afc7229caf4095825dbf15befd37493 |
| SHA1 | ba1096e7690b22c55b6afdea14b9eafd14af7097 |
| SHA256 | e7cbd4083aacfe6fa4d5c45c6d6e621417aa11860abc41478d56ae6248d8a0b1 |
| SHA512 | 73202a3faf248a73b62c88746c5785effcdf30564b4afd2c4e9a3c6a24cf08b55e4a6fd35339c2a258981013dd0343cd62f64d247fd3180bd0b79ffc646e97fb |
C:\Users\Admin\AppData\Local\Temp\Papua
| MD5 | 8db77745f37a0a067728d621603c7cae |
| SHA1 | e3a1bf4c37d10434642c31c0435da28f7ee30de3 |
| SHA256 | 1335802132d3a38d17319ac6a5d3662820c30a50ed75a5d094cff5e1ccde687f |
| SHA512 | bedfec2197d9d22eb692f34413af1f37b3cb057a1d2929d2835d0d4e24103d101178370b2717dbdb38fa6c5d125698ac4f74fd934bf6dbe35a3ae1a9eb75f607 |
C:\Users\Admin\AppData\Local\Temp\Llp
| MD5 | b1be05ed7b57f24b0004276747520e23 |
| SHA1 | 8f41ad51eef21727562136de08afecbdf51e1635 |
| SHA256 | dc71aa99d951b08ea1c0f886d0146d5ab1a4c031aeb692cb6b7ea92da80b2c38 |
| SHA512 | 8747326a12820c04d4f268b063e11a84e71be47b9750ad0a8cb0325f24c0ad386d385d5d0a7ce4e81f984523dfaa6e9f26bc2e8bd226310974084e4d581dcfce |
C:\Users\Admin\AppData\Local\Temp\Powerful
| MD5 | fc73c25541cfa8ac7a46fccb525f0cfd |
| SHA1 | f83352a81f0f14546365f4c18d155233f4584d14 |
| SHA256 | 0a887aa261cbdab920c9fb983f20906a046115c1c40e2bb986823ae4ef4aa408 |
| SHA512 | 29bd51b706fcb7d075d85550926a33ba70269570b052c3d34297bd06ac652b1dc95c174e1e860df97df47171aef9ac3e8f552129e74690d4450e662e881b6cbd |
C:\Users\Admin\AppData\Local\Temp\Dude
| MD5 | fb6f9a5933fa68a15184363dd5f74446 |
| SHA1 | fa310d04bdcb2578a5853bcd6cd24c5516ec93c6 |
| SHA256 | c10e2d896a120a8639b63836cb6f8d1229b9b3a063048d523aec908dbe89d928 |
| SHA512 | 867fef1eac107b757e11df16c8c56347ae53f6d646a32f82ef7bae6f2479f168404affb4fcc3e462d234c6344e5b13e0d04482c59f5ffe810396e1b67634e3b4 |
C:\Users\Admin\AppData\Local\Temp\Slightly
| MD5 | 3a90362515761941660fbb96219f9fe0 |
| SHA1 | 8c4386f0bb80eff84a96cc25eaa85f2dfd121679 |
| SHA256 | c942fb8755a8f61585f06af8ce2b1e9fcf8d88d45d6c80dff7f523c24bfb543e |
| SHA512 | f4d165ce35a349332d6f5b68976a0735b90648f89c27f14bbabe3562c82ae233849886dff663e22d5a10440bcde8672cfb095ea7dac235bec9fca6aca22744d5 |
C:\Users\Admin\AppData\Local\Temp\Vagina
| MD5 | 621679ec67ab5447a864ab80778de8ec |
| SHA1 | 288314f4e5ad902006af71971b75106c8e0bd6a8 |
| SHA256 | 4f332881e0e1ab18279f0dbaddab9650c473ce42b0ffdceff9ae3e27923d1e87 |
| SHA512 | cf5394137a4fdb1de5a7fc014a743220c93ff850c5cddb99c432b6b0a9393cb33bb9d178c2d6e13c58211f456240b4b3ae6a123a2bb68ce62ec96aa99109215b |
C:\Users\Admin\AppData\Local\Temp\Sources
| MD5 | 470f19f312808e9d98a35a5343cb25a8 |
| SHA1 | 50c4f2d1bfc53cbd2b4fa02bb156a5199aa85b3a |
| SHA256 | 8e0099e0b1d1a05f78099ebad128c0440bf0f469e21510e6996e8b497af36e3f |
| SHA512 | 1489d7bdb0ad32334bed050415062b340f79ecb8fb775f697d875300c7fc501e56162d547295d2f82fe4c6cf3a0a92c97e5f49bbeeaba58000636db970bd9cf0 |
C:\Users\Admin\AppData\Local\Temp\651690\Sister.pif
| MD5 | 18ce19b57f43ce0a5af149c96aecc685 |
| SHA1 | 1bd5ca29fc35fc8ac346f23b155337c5b28bbc36 |
| SHA256 | d8b7c7178fbadbf169294e4f29dce582f89a5cf372e9da9215aa082330dc12fd |
| SHA512 | a0c58f04dfb49272a2b6f1e8ce3f541a030a6c7a09bb040e660fc4cd9892ca3ac39cf3d6754c125f7cd1987d1fca01640a153519b4e2eb3e3b4b8c9dc1480558 |
C:\Users\Admin\AppData\Local\Temp\651690\p
| MD5 | 9a24d4882c1d58ce2448fdae562666d4 |
| SHA1 | 9d0565a9b786ab57844edd419459115aac35bde0 |
| SHA256 | 7f33004e6d85eb4e355e98c93c6765cdf62572bcda24126a2758d8b8d9021c2f |
| SHA512 | cd724a70b30103968830c89f935345eede1bf42ff454f65608c1799c72f35fb6e34cfa102d3a793d79370ab82e2a8f17ee6056c1248c406d5c620c35888828ab |
memory/2524-27-0x0000000000D40000-0x0000000000D92000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\651690\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/2524-30-0x0000000005CF0000-0x0000000006294000-memory.dmp
memory/2524-31-0x0000000005740000-0x00000000057D2000-memory.dmp
memory/2524-32-0x00000000056F0000-0x00000000056FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpF0A9.tmp
| MD5 | 1420d30f964eac2c85b2ccfe968eebce |
| SHA1 | bdf9a6876578a3e38079c4f8cf5d6c79687ad750 |
| SHA256 | f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9 |
| SHA512 | 6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8 |
memory/2524-49-0x0000000006320000-0x0000000006396000-memory.dmp
memory/2524-50-0x0000000006AE0000-0x0000000006AFE000-memory.dmp
memory/2524-53-0x0000000007220000-0x0000000007838000-memory.dmp
memory/2524-55-0x0000000006CB0000-0x0000000006CC2000-memory.dmp
memory/2524-54-0x0000000006D70000-0x0000000006E7A000-memory.dmp
memory/2524-56-0x0000000006D10000-0x0000000006D4C000-memory.dmp
memory/2524-57-0x0000000006E80000-0x0000000006ECC000-memory.dmp