redline | 640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2.exe
Size

6.3MB
MD5

b88f61a7938ef8af011259c59efc3d3d
SHA1

ba6f4356993959799fbd88bb350558045c363a85
SHA256

640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2
SHA512

ba7a3564327f2ec4e0c34710205bdb297b8c4a29f020f973462897d52f4d99fefbb74c1f511195d2ac3bae0e44a8dc749cdf6d043ff5fba9939cdd73c59e7d40
SSDEEP

98304:0rLVoBkwXnc+AdMIm8r3ctMmKCOQhMCTgeZ1lcvd6:uhIkwt+x31/CICj1lg6

Score

10^/10

redline xmrig evasion execution infostealer miner persistence upx

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/3712-26-0x0000000000D70000-0x0000000000DBA000-memory.dmp family_redline
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

resource	yara_rule
behavioral2/memory/3712-26-0x0000000000D70000-0x0000000000DBA000-memory.dmp	family_redline

UPX dump on OEP (original entry point) 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1360-106-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-122-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-119-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-111-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-110-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-109-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-107-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-108-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-123-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-121-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-120-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-126-0x0000000140000000-0x0000000140848000-memory.dmp	UPX
behavioral2/memory/1360-127-0x0000000140000000-0x0000000140848000-memory.dmp	UPX

XMRig Miner payload 9 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1360-122-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1360-119-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1360-111-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1360-110-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1360-123-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1360-121-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1360-120-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1360-126-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/1360-127-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4864 powershell.exe
3812 powershell.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 3 IoCs

Processes:

WeMod.exeSirus.exeleirdnhqqedj.exe

pid process

2352 WeMod.exe
3712 Sirus.exe
4100 leirdnhqqedj.exe

pid	process
4864	powershell.exe
3812	powershell.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1360-106-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-122-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-119-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-111-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-110-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-109-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-107-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-105-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-108-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-123-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-121-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-120-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-126-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/1360-127-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
persistence

T1653

Processes:

powercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exe

pid process

2436 powercfg.exe
2228 powercfg.exe
3520 powercfg.exe
2300 powercfg.exe
4692 powercfg.exe
320 powercfg.exe
208 powercfg.exe
4732 powercfg.exe

pid	process
2436	powercfg.exe
2228	powercfg.exe
3520	powercfg.exe
2300	powercfg.exe
4692	powercfg.exe
320	powercfg.exe
208	powercfg.exe
4732	powercfg.exe

Drops file in System32 directory 6 IoCs

Processes:

WeMod.exeleirdnhqqedj.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\MRT.exe	WeMod.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}	leirdnhqqedj.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Roaming\Obsidium\{3D20819C-5D02B5C8-D5AE7FCB-C4F5C439}\4100.obs	leirdnhqqedj.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	leirdnhqqedj.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

WeMod.exeleirdnhqqedj.exe

pid process

2352 WeMod.exe
4100 leirdnhqqedj.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

leirdnhqqedj.exe

description pid process target process

PID 4100 set thread context of 1172 4100 leirdnhqqedj.exe conhost.exe
PID 4100 set thread context of 1360 4100 leirdnhqqedj.exe explorer.exe
Launches sc.exe 14 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1616 sc.exe
2804 sc.exe
4912 sc.exe
2640 sc.exe
2064 sc.exe
1940 sc.exe
4808 sc.exe
3548 sc.exe
4996 sc.exe
3204 sc.exe
3692 sc.exe
520 sc.exe
4824 sc.exe
4284 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4100 set thread context of 1172	4100	leirdnhqqedj.exe	conhost.exe
PID 4100 set thread context of 1360	4100	leirdnhqqedj.exe	explorer.exe

pid	process
1616	sc.exe
2804	sc.exe
4912	sc.exe
2640	sc.exe
2064	sc.exe
1940	sc.exe
4808	sc.exe
3548	sc.exe
4996	sc.exe
3204	sc.exe
3692	sc.exe
520	sc.exe
4824	sc.exe
4284	sc.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WeMod.exeSirus.exepowershell.exe

pid	process
2352	WeMod.exe
2352	WeMod.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
2352	WeMod.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
4864	powershell.exe
4864	powershell.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
2352	WeMod.exe
2352	WeMod.exe
2352	WeMod.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe
3712	Sirus.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Sirus.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowercfg.exeexplorer.exepowercfg.exepowercfg.exepowercfg.exe

description	pid	process
Token: SeDebugPrivilege	3712	Sirus.exe
Token: SeBackupPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeBackupPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeBackupPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeShutdownPrivilege	2436	powercfg.exe
Token: SeCreatePagefilePrivilege	2436	powercfg.exe
Token: SeShutdownPrivilege	2300	powercfg.exe
Token: SeCreatePagefilePrivilege	2300	powercfg.exe
Token: SeShutdownPrivilege	2228	powercfg.exe
Token: SeCreatePagefilePrivilege	2228	powercfg.exe
Token: SeShutdownPrivilege	3520	powercfg.exe
Token: SeCreatePagefilePrivilege	3520	powercfg.exe
Token: SeBackupPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeBackupPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeBackupPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeDebugPrivilege	3812	powershell.exe
Token: SeBackupPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeShutdownPrivilege	4732	powercfg.exe
Token: SeCreatePagefilePrivilege	4732	powercfg.exe
Token: SeLockMemoryPrivilege	1360	explorer.exe
Token: SeShutdownPrivilege	4692	powercfg.exe
Token: SeCreatePagefilePrivilege	4692	powercfg.exe
Token: SeShutdownPrivilege	320	powercfg.exe
Token: SeCreatePagefilePrivilege	320	powercfg.exe
Token: SeShutdownPrivilege	208	powercfg.exe
Token: SeCreatePagefilePrivilege	208	powercfg.exe
Token: SeBackupPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeBackupPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe
Token: SeSecurityPrivilege	3712	Sirus.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2.execmd.execmd.execmd.exeleirdnhqqedj.exe

description	pid	process	target process
PID 1508 wrote to memory of 2352	1508	640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2.exe	WeMod.exe
PID 1508 wrote to memory of 2352	1508	640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2.exe	WeMod.exe
PID 1508 wrote to memory of 3712	1508	640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2.exe	Sirus.exe
PID 1508 wrote to memory of 3712	1508	640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2.exe	Sirus.exe
PID 1508 wrote to memory of 3712	1508	640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2.exe	Sirus.exe
PID 4920 wrote to memory of 4112	4920	cmd.exe	wusa.exe
PID 4920 wrote to memory of 4112	4920	cmd.exe	wusa.exe
PID 5008 wrote to memory of 4572	5008	cmd.exe	choice.exe
PID 5008 wrote to memory of 4572	5008	cmd.exe	choice.exe
PID 1668 wrote to memory of 60	1668	cmd.exe	wusa.exe
PID 1668 wrote to memory of 60	1668	cmd.exe	wusa.exe
PID 4100 wrote to memory of 1172	4100	leirdnhqqedj.exe	conhost.exe
PID 4100 wrote to memory of 1172	4100	leirdnhqqedj.exe	conhost.exe
PID 4100 wrote to memory of 1172	4100	leirdnhqqedj.exe	conhost.exe
PID 4100 wrote to memory of 1172	4100	leirdnhqqedj.exe	conhost.exe
PID 4100 wrote to memory of 1172	4100	leirdnhqqedj.exe	conhost.exe
PID 4100 wrote to memory of 1172	4100	leirdnhqqedj.exe	conhost.exe
PID 4100 wrote to memory of 1172	4100	leirdnhqqedj.exe	conhost.exe
PID 4100 wrote to memory of 1172	4100	leirdnhqqedj.exe	conhost.exe
PID 4100 wrote to memory of 1172	4100	leirdnhqqedj.exe	conhost.exe
PID 4100 wrote to memory of 1360	4100	leirdnhqqedj.exe	explorer.exe
PID 4100 wrote to memory of 1360	4100	leirdnhqqedj.exe	explorer.exe
PID 4100 wrote to memory of 1360	4100	leirdnhqqedj.exe	explorer.exe
PID 4100 wrote to memory of 1360	4100	leirdnhqqedj.exe	explorer.exe
PID 4100 wrote to memory of 1360	4100	leirdnhqqedj.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2.exe
"C:\Users\Admin\AppData\Local\Temp\640397d3d855cbb8e3400f7564294bae51d591f7adb0f7856b7acfeb47f4e3d2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Roaming\WeMod.exe
C:\Users\Admin\AppData\Roaming\WeMod.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
3⤵
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
4⤵
PID:4112

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
3⤵
- Launches sc.exe
PID:3692

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3548

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
3⤵
- Launches sc.exe
PID:4996

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
3⤵
- Launches sc.exe
PID:520

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
3⤵
- Launches sc.exe
PID:4824

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2436

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:2228

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "BFFESVJT"
3⤵
- Launches sc.exe
PID:1940

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "BFFESVJT" binpath= "C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2640

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3204

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "BFFESVJT"
3⤵
- Launches sc.exe
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\WeMod.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:4572

C:\Users\Admin\AppData\Roaming\Sirus.exe
C:\Users\Admin\AppData\Roaming\Sirus.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3712

C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
C:\ProgramData\wdcnrrcmzwhi\leirdnhqqedj.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4100

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\system32\wusa.exe
wusa /uninstall /kb:890830 /quiet /norestart
3⤵
PID:60

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop UsoSvc
2⤵
- Launches sc.exe
PID:1616

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop WaaSMedicSvc
2⤵
- Launches sc.exe
PID:2804

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop wuauserv
2⤵
- Launches sc.exe
PID:4912

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop bits
2⤵
- Launches sc.exe
PID:4808

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop dosvc
2⤵
- Launches sc.exe
PID:4284

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4732

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:1172

C:\Windows\explorer.exe
explorer.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jkdvamxx.ypr.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1172-117-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1172-101-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1172-100-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1172-99-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1172-98-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1172-102-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1360-106-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-126-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-111-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-122-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-127-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-112-0x0000000000C80000-0x0000000000CA0000-memory.dmp

Filesize
128KB

Download
memory/1360-109-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-119-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-120-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-121-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-123-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-110-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-108-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-105-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/1360-107-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/2352-23-0x00007FFC81B90000-0x00007FFC81E59000-memory.dmp

Filesize
2.8MB

Download
memory/2352-4-0x00007FF76B8C0000-0x00007FF76BE00000-memory.dmp

Filesize
5.2MB

Download
memory/2352-22-0x00007FFC84410000-0x00007FFC84605000-memory.dmp

Filesize
2.0MB

Download
memory/2352-24-0x00007FFC83270000-0x00007FFC8330E000-memory.dmp

Filesize
632KB

Download
memory/2352-51-0x00007FF76B8C0000-0x00007FF76BE00000-memory.dmp

Filesize
5.2MB

Download
memory/2352-54-0x00007FFC83270000-0x00007FFC8330E000-memory.dmp

Filesize
632KB

Download
memory/2352-53-0x00007FFC81B90000-0x00007FFC81E59000-memory.dmp

Filesize
2.8MB

Download
memory/2352-55-0x00007FF76BB51000-0x00007FF76BE00000-memory.dmp

Filesize
2.7MB

Download
memory/2352-52-0x00007FFC84410000-0x00007FFC84605000-memory.dmp

Filesize
2.0MB

Download
memory/2352-21-0x00007FF76B8C0000-0x00007FF76BE00000-memory.dmp

Filesize
5.2MB

Download
memory/2352-15-0x00007FFC83270000-0x00007FFC8330E000-memory.dmp

Filesize
632KB

Download
memory/2352-16-0x0000020247200000-0x0000020247201000-memory.dmp

Filesize
4KB

Download
memory/2352-11-0x00000202470A0000-0x00000202470E7000-memory.dmp

Filesize
284KB

Download
memory/2352-10-0x00007FF76B8C0000-0x00007FF76BE00000-memory.dmp

Filesize
5.2MB

Download
memory/2352-7-0x00007FF76B8C0000-0x00007FF76BE00000-memory.dmp

Filesize
5.2MB

Download
memory/2352-8-0x00007FF76B8C0000-0x00007FF76BE00000-memory.dmp

Filesize
5.2MB

Download
memory/2352-6-0x00007FF76BB51000-0x00007FF76BE00000-memory.dmp

Filesize
2.7MB

Download
memory/2352-5-0x00007FF76B8C0000-0x00007FF76BE00000-memory.dmp

Filesize
5.2MB

Download
memory/3712-30-0x0000000005950000-0x000000000595A000-memory.dmp

Filesize
40KB

Download
memory/3712-35-0x0000000008EB0000-0x0000000008EFC000-memory.dmp

Filesize
304KB

Download
memory/3712-25-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/3712-26-0x0000000000D70000-0x0000000000DBA000-memory.dmp

Filesize
296KB

Download
memory/3712-125-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/3712-124-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/3712-27-0x0000000005F30000-0x00000000064D4000-memory.dmp

Filesize
5.6MB

Download
memory/3712-28-0x00000000745E0000-0x0000000074D90000-memory.dmp

Filesize
7.7MB

Download
memory/3712-29-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/3712-31-0x0000000009260000-0x0000000009878000-memory.dmp

Filesize
6.1MB

Download
memory/3712-32-0x0000000008DA0000-0x0000000008EAA000-memory.dmp

Filesize
1.0MB

Download
memory/3712-33-0x0000000008CE0000-0x0000000008CF2000-memory.dmp

Filesize
72KB

Download
memory/3712-34-0x0000000008D40000-0x0000000008D7C000-memory.dmp

Filesize
240KB

Download
memory/3812-87-0x0000025EEF0C0000-0x0000025EEF0DC000-memory.dmp

Filesize
112KB

Download
memory/3812-90-0x0000025EEF310000-0x0000025EEF32C000-memory.dmp

Filesize
112KB

Download
memory/3812-91-0x0000025EEF2F0000-0x0000025EEF2FA000-memory.dmp

Filesize
40KB

Download
memory/3812-92-0x0000025EEF350000-0x0000025EEF36A000-memory.dmp

Filesize
104KB

Download
memory/3812-93-0x0000025EEF300000-0x0000025EEF308000-memory.dmp

Filesize
32KB

Download
memory/3812-94-0x0000025EEF330000-0x0000025EEF336000-memory.dmp

Filesize
24KB

Download
memory/3812-95-0x0000025EEF340000-0x0000025EEF34A000-memory.dmp

Filesize
40KB

Download
memory/3812-89-0x0000025EEF1A0000-0x0000025EEF1AA000-memory.dmp

Filesize
40KB

Download
memory/3812-88-0x0000025EEF0E0000-0x0000025EEF195000-memory.dmp

Filesize
724KB

Download
memory/4100-115-0x00007FFC81B90000-0x00007FFC81E59000-memory.dmp

Filesize
2.8MB

Download
memory/4100-58-0x00007FF7D1BF0000-0x00007FF7D2130000-memory.dmp

Filesize
5.2MB

Download
memory/4100-61-0x00007FF7D1BF0000-0x00007FF7D2130000-memory.dmp

Filesize
5.2MB

Download
memory/4100-67-0x00007FFC83270000-0x00007FFC8330E000-memory.dmp

Filesize
632KB

Download
memory/4100-114-0x00007FFC84410000-0x00007FFC84605000-memory.dmp

Filesize
2.0MB

Download
memory/4100-60-0x00007FF7D1BF0000-0x00007FF7D2130000-memory.dmp

Filesize
5.2MB

Download
memory/4100-59-0x00007FF7D1BF0000-0x00007FF7D2130000-memory.dmp

Filesize
5.2MB

Download
memory/4100-116-0x00007FFC83270000-0x00007FFC8330E000-memory.dmp

Filesize
632KB

Download
memory/4100-63-0x00007FF7D1BF0000-0x00007FF7D2130000-memory.dmp

Filesize
5.2MB

Download
memory/4100-118-0x00007FF7D1BF0000-0x00007FF7D2130000-memory.dmp

Filesize
5.2MB

Download
memory/4100-62-0x00000247D2D20000-0x00000247D2D67000-memory.dmp

Filesize
284KB

Download
memory/4864-43-0x00000182F99E0000-0x00000182F9A02000-memory.dmp

Filesize
136KB

Download