redline | 509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098

Analysis

max time kernel
298s
max time network
298s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
26-09-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe
Size

314KB
MD5

5ec109983136c374dec9399469ba33f8
SHA1

489613e3f1d39e3914dfe78bd7a1ed9228bc545b
SHA256

509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098
SHA512

5330a504a79bc0957cbf9449d1bc14534cda9a1ffc7875f7df956eec8bf4ac5625fd3d87416017d1d5845edaecfc2c82e7ab4a637906bb624c2b35e705e8784d
SSDEEP

6144:pkv7qrnOon2eqPntIHipq16Ba4AELjPL2hKpjR6ZmY1ivri:pkv7qrJ2eqftIuqABaVEnwK3WQ

Score

10^/10

redline xmrig logsdiller cloud (tg: @logsdillabot)discovery evasion execution infostealer miner persistence spyware stealer themida trojan

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

91.211.248.215:24327

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2568-3-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	filename.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	updater.exe

XMRig Miner payload 18 IoCs

miner

resource	yara_rule
behavioral2/memory/1292-277-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-278-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-276-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-275-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-274-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-272-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-271-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-273-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-287-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-288-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-286-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-284-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-285-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-281-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-291-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-293-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-295-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig
behavioral2/memory/1292-294-0x0000000140000000-0x000000014082C000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1020	powershell.exe
3728	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\hosts	filename.exe
File created	C:\Windows\system32\drivers\etc\hosts	updater.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	filename.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	updater.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	filename.exe

Executes dropped EXE 2 IoCs

pid	Process
352	filename.exe
1904	updater.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 13 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000900000001ac3f-45.dat	themida
behavioral2/memory/352-47-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp	themida
behavioral2/memory/352-49-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp	themida
behavioral2/memory/352-51-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp	themida
behavioral2/memory/352-52-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp	themida
behavioral2/memory/352-53-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp	themida
behavioral2/memory/352-54-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp	themida
behavioral2/memory/352-103-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp	themida
behavioral2/memory/1904-106-0x00007FF691950000-0x00007FF692875000-memory.dmp	themida
behavioral2/memory/1904-107-0x00007FF691950000-0x00007FF692875000-memory.dmp	themida
behavioral2/memory/1904-109-0x00007FF691950000-0x00007FF692875000-memory.dmp	themida
behavioral2/memory/1904-108-0x00007FF691950000-0x00007FF692875000-memory.dmp	themida
behavioral2/memory/1904-283-0x00007FF691950000-0x00007FF692875000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	filename.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	updater.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
4732	powercfg.exe
3792	powercfg.exe
4788	powercfg.exe
2976	powercfg.exe
3652	powercfg.exe
4724	powercfg.exe
216	powercfg.exe
2752	powercfg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	updater.exe
File opened for modification	C:\Windows\system32\MRT.exe	filename.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
352	filename.exe
1904	updater.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2448 set thread context of 2568	2448	509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe	76
PID 1904 set thread context of 3412	1904	updater.exe	134
PID 1904 set thread context of 1292	1904	updater.exe	137

Launches sc.exe 14 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4672	sc.exe
4480	sc.exe
4664	sc.exe
4816	sc.exe
4608	sc.exe
2816	sc.exe
2588	sc.exe
2340	sc.exe
3364	sc.exe
4312	sc.exe
2852	sc.exe
4432	sc.exe
4908	sc.exe
2940	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2568	RegAsm.exe
2568	RegAsm.exe
2568	RegAsm.exe
352	filename.exe
1020	powershell.exe
1020	powershell.exe
1020	powershell.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
352	filename.exe
1904	updater.exe
3728	powershell.exe
3728	powershell.exe
3728	powershell.exe
1904	updater.exe
1904	updater.exe
1904	updater.exe
1904	updater.exe
1904	updater.exe
1904	updater.exe
1904	updater.exe
1904	updater.exe
1904	updater.exe
1904	updater.exe
1904	updater.exe
1904	updater.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe
1292	explorer.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeDebugPrivilege	2568	RegAsm.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeIncreaseQuotaPrivilege	1020	powershell.exe
Token: SeSecurityPrivilege	1020	powershell.exe
Token: SeTakeOwnershipPrivilege	1020	powershell.exe
Token: SeLoadDriverPrivilege	1020	powershell.exe
Token: SeSystemProfilePrivilege	1020	powershell.exe
Token: SeSystemtimePrivilege	1020	powershell.exe
Token: SeProfSingleProcessPrivilege	1020	powershell.exe
Token: SeIncBasePriorityPrivilege	1020	powershell.exe
Token: SeCreatePagefilePrivilege	1020	powershell.exe
Token: SeBackupPrivilege	1020	powershell.exe
Token: SeRestorePrivilege	1020	powershell.exe
Token: SeShutdownPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeSystemEnvironmentPrivilege	1020	powershell.exe
Token: SeRemoteShutdownPrivilege	1020	powershell.exe
Token: SeUndockPrivilege	1020	powershell.exe
Token: SeManageVolumePrivilege	1020	powershell.exe
Token: 33	1020	powershell.exe
Token: 34	1020	powershell.exe
Token: 35	1020	powershell.exe
Token: 36	1020	powershell.exe
Token: SeShutdownPrivilege	3792	powercfg.exe
Token: SeCreatePagefilePrivilege	3792	powercfg.exe
Token: SeShutdownPrivilege	2976	powercfg.exe
Token: SeCreatePagefilePrivilege	2976	powercfg.exe
Token: SeShutdownPrivilege	4732	powercfg.exe
Token: SeCreatePagefilePrivilege	4732	powercfg.exe
Token: SeShutdownPrivilege	4788	powercfg.exe
Token: SeCreatePagefilePrivilege	4788	powercfg.exe
Token: SeDebugPrivilege	3728	powershell.exe
Token: SeAssignPrimaryTokenPrivilege	3728	powershell.exe
Token: SeIncreaseQuotaPrivilege	3728	powershell.exe
Token: SeSecurityPrivilege	3728	powershell.exe
Token: SeTakeOwnershipPrivilege	3728	powershell.exe
Token: SeLoadDriverPrivilege	3728	powershell.exe
Token: SeSystemtimePrivilege	3728	powershell.exe
Token: SeBackupPrivilege	3728	powershell.exe
Token: SeRestorePrivilege	3728	powershell.exe
Token: SeShutdownPrivilege	3728	powershell.exe
Token: SeSystemEnvironmentPrivilege	3728	powershell.exe
Token: SeUndockPrivilege	3728	powershell.exe
Token: SeManageVolumePrivilege	3728	powershell.exe
Token: SeShutdownPrivilege	216	powercfg.exe
Token: SeCreatePagefilePrivilege	216	powercfg.exe
Token: SeShutdownPrivilege	2752	powercfg.exe
Token: SeCreatePagefilePrivilege	2752	powercfg.exe
Token: SeShutdownPrivilege	3652	powercfg.exe
Token: SeCreatePagefilePrivilege	3652	powercfg.exe
Token: SeShutdownPrivilege	4724	powercfg.exe
Token: SeCreatePagefilePrivilege	4724	powercfg.exe
Token: SeLockMemoryPrivilege	1292	explorer.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2448 wrote to memory of 2568	2448	509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe	76
PID 2448 wrote to memory of 2568	2448	509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe	76
PID 2448 wrote to memory of 2568	2448	509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe	76
PID 2448 wrote to memory of 2568	2448	509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe	76
PID 2448 wrote to memory of 2568	2448	509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe	76
PID 2448 wrote to memory of 2568	2448	509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe	76
PID 2448 wrote to memory of 2568	2448	509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe	76
PID 2448 wrote to memory of 2568	2448	509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe	76
PID 2568 wrote to memory of 352	2568	RegAsm.exe	79
PID 2568 wrote to memory of 352	2568	RegAsm.exe	79
PID 3536 wrote to memory of 4132	3536	cmd.exe	88
PID 3536 wrote to memory of 4132	3536	cmd.exe	88
PID 2568 wrote to memory of 2360	2568	cmd.exe	119
PID 2568 wrote to memory of 2360	2568	cmd.exe	119
PID 1904 wrote to memory of 3412	1904	updater.exe	134
PID 1904 wrote to memory of 3412	1904	updater.exe	134
PID 1904 wrote to memory of 3412	1904	updater.exe	134
PID 1904 wrote to memory of 3412	1904	updater.exe	134
PID 1904 wrote to memory of 3412	1904	updater.exe	134
PID 1904 wrote to memory of 3412	1904	updater.exe	134
PID 1904 wrote to memory of 3412	1904	updater.exe	134
PID 1904 wrote to memory of 3412	1904	updater.exe	134
PID 1904 wrote to memory of 3412	1904	updater.exe	134
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137
PID 1904 wrote to memory of 1292	1904	updater.exe	137

C:\Users\Admin\AppData\Local\Temp\509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe
"C:\Users\Admin\AppData\Local\Temp\509d4e533c2bf000940c404ea8b5219a3a10c95fb55f7ed911730fa040ed5098.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Users\Admin\AppData\Local\Temp\filename.exe
    "C:\Users\Admin\AppData\Local\Temp\filename.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:352
  - - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3536
    - - C:\Windows\system32\wusa.exe
        
        wusa /uninstall /kb:890830 /quiet /norestart
        5⤵
        
        PID:4132
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop UsoSvc
      4⤵
      Launches sc.exe
      PID:2340
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop WaaSMedicSvc
      4⤵
      Launches sc.exe
      PID:4672
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop wuauserv
      4⤵
      Launches sc.exe
      PID:4816
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop bits
      4⤵
      Launches sc.exe
      PID:4608
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop dosvc
      4⤵
      Launches sc.exe
      PID:4312
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4732
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:3792
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:4788
  - - C:\Windows\system32\powercfg.exe
      C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
      4⤵
      Power Settings
      Suspicious use of AdjustPrivilegeToken
      PID:2976
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe delete "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:4480
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe create "GoogleUpdateTaskMachineQC" binpath= "C:\ProgramData\Google\Chrome\updater.exe" start= "auto"
      4⤵
      Launches sc.exe
      PID:2852
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe stop eventlog
      4⤵
      Launches sc.exe
      PID:3364
  - - C:\Windows\system32\sc.exe
      C:\Windows\system32\sc.exe start "GoogleUpdateTaskMachineQC"
      4⤵
      Launches sc.exe
      PID:2816

C:\ProgramData\Google\Chrome\updater.exe
C:\ProgramData\Google\Chrome\updater.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2360
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4664
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:4432
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:2588
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4908
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:2940
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4724
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:3412
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Tmp8194.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cq4tv53e.wtz.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\filename.exe

Filesize
8.1MB

MD5
128492dfe6cea5f79bd50dd527f2687a

SHA1
9e384550063553fa673d2f0703c390f2a9577e1b

SHA256
c891f1be0c0347437cd86349478f5b4fc3f437ca21834766eabc38ffc1b2a415

SHA512
f51d0aa43f796111bffd2ff71745ebe4b85e1303199c1406bdf002a6b75c5f2e534453da2973999b415829184696a3e5cc459956f2d33672a665bde289c17b31

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
2b19df2da3af86adf584efbddd0d31c0

SHA1
f1738910789e169213611c033d83bc9577373686

SHA256
58868a299c5cf1167ed3fbc570a449ecd696406410b24913ddbd0f06a32595bd

SHA512
4a1831f42a486a0ad2deef3d348e7220209214699504e29fdfeb2a6f7f25ad1d353158cd05778f76ef755e77ccd94ce9b4a7504039e439e4e90fa7cde589daa6

Download Submit
memory/352-47-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp

Filesize
15.1MB

Download
memory/352-54-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp

Filesize
15.1MB

Download
memory/352-53-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp

Filesize
15.1MB

Download
memory/352-52-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp

Filesize
15.1MB

Download
memory/352-51-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp

Filesize
15.1MB

Download
memory/352-49-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp

Filesize
15.1MB

Download
memory/352-103-0x00007FF79A290000-0x00007FF79B1B5000-memory.dmp

Filesize
15.1MB

Download
memory/1020-62-0x000001BFBBF80000-0x000001BFBBFF6000-memory.dmp

Filesize
472KB

Download
memory/1020-59-0x000001BFBBDD0000-0x000001BFBBDF2000-memory.dmp

Filesize
136KB

Download
memory/1292-287-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-295-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-271-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-272-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-294-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-281-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-276-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-278-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-277-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-273-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-270-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-282-0x00000000003E0000-0x0000000000400000-memory.dmp

Filesize
128KB

Download
memory/1292-291-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-288-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-286-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-293-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-284-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-285-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-275-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1292-274-0x0000000140000000-0x000000014082C000-memory.dmp

Filesize
8.2MB

Download
memory/1904-106-0x00007FF691950000-0x00007FF692875000-memory.dmp

Filesize
15.1MB

Download
memory/1904-107-0x00007FF691950000-0x00007FF692875000-memory.dmp

Filesize
15.1MB

Download
memory/1904-109-0x00007FF691950000-0x00007FF692875000-memory.dmp

Filesize
15.1MB

Download
memory/1904-108-0x00007FF691950000-0x00007FF692875000-memory.dmp

Filesize
15.1MB

Download
memory/1904-283-0x00007FF691950000-0x00007FF692875000-memory.dmp

Filesize
15.1MB

Download
memory/2448-39-0x0000000073F00000-0x00000000745EE000-memory.dmp

Filesize
6.9MB

Download
memory/2448-1-0x0000000000DD0000-0x0000000000E24000-memory.dmp

Filesize
336KB

Download
memory/2448-5-0x0000000073F00000-0x00000000745EE000-memory.dmp

Filesize
6.9MB

Download
memory/2448-0-0x0000000073F0E000-0x0000000073F0F000-memory.dmp

Filesize
4KB

Download
memory/2568-29-0x0000000006FA0000-0x00000000075A6000-memory.dmp

Filesize
6.0MB

Download
memory/2568-32-0x0000000006AA0000-0x0000000006ADE000-memory.dmp

Filesize
248KB

Download
memory/2568-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2568-6-0x0000000073F00000-0x00000000745EE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-7-0x0000000005AB0000-0x0000000005FAE000-memory.dmp

Filesize
5.0MB

Download
memory/2568-8-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/2568-41-0x0000000007CB0000-0x0000000007D00000-memory.dmp

Filesize
320KB

Download
memory/2568-40-0x0000000073F00000-0x00000000745EE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-9-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/2568-38-0x0000000007F80000-0x00000000084AC000-memory.dmp

Filesize
5.2MB

Download
memory/2568-37-0x0000000007880000-0x0000000007A42000-memory.dmp

Filesize
1.8MB

Download
memory/2568-34-0x0000000006D50000-0x0000000006DB6000-memory.dmp

Filesize
408KB

Download
memory/2568-33-0x0000000006C20000-0x0000000006C6B000-memory.dmp

Filesize
300KB

Download
memory/2568-26-0x0000000006230000-0x00000000062A6000-memory.dmp

Filesize
472KB

Download
memory/2568-31-0x0000000006A40000-0x0000000006A52000-memory.dmp

Filesize
72KB

Download
memory/2568-30-0x0000000006B10000-0x0000000006C1A000-memory.dmp

Filesize
1.0MB

Download
memory/2568-50-0x0000000073F00000-0x00000000745EE000-memory.dmp

Filesize
6.9MB

Download
memory/2568-27-0x0000000006970000-0x000000000698E000-memory.dmp

Filesize
120KB

Download
memory/3412-266-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3412-269-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3412-262-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3412-263-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3412-264-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3412-265-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/3728-171-0x0000028E43420000-0x0000028E4342A000-memory.dmp

Filesize
40KB

Download
memory/3728-138-0x0000028E438E0000-0x0000028E43999000-memory.dmp

Filesize
740KB

Download
memory/3728-132-0x0000028E43400000-0x0000028E4341C000-memory.dmp

Filesize
112KB

Download