redline | 76919d1b955f642d02652b03274a9d447d386b8071d1f51f41a22cc708a7db31

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7v20210410
submitted
08-05-2021 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7cfcefabc22cecb94af7cc290bef648.exe
Size

188KB
MD5

d7cfcefabc22cecb94af7cc290bef648
SHA1

45844bd2f247d3e62e6d90762c84187e7f6c83cc
SHA256

76919d1b955f642d02652b03274a9d447d386b8071d1f51f41a22cc708a7db31
SHA512

19b78fb987fc585559489e75bb4e9c9a9ee43b2c2a32d7c8dc329cd02d3ca62fa8c0787c2bef6f7c3138ab6d0969a31591c493f8fb77a63aed7880307bda1630

Score

10^/10

redline firstma discovery infostealer spyware stealer

Malware Config

Extracted

Family

redline

Botnet

firstma

45.67.231.56:3214

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/768-60-0x0000000000680000-0x000000000069E000-memory.dmp	family_redline
behavioral1/memory/768-61-0x0000000002000000-0x000000000201D000-memory.dmp	family_redline
behavioral1/memory/1032-80-0x0000000001E20000-0x0000000001E3E000-memory.dmp	family_redline
behavioral1/memory/1032-81-0x0000000001F30000-0x0000000001F4D000-memory.dmp	family_redline
\Users\Admin\AppData\Local\Temp\rvs.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\rvs.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\rvs.exe	family_redline

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

servs.exervs.exe

pid process

1032 servs.exe
1100 rvs.exe
Loads dropped DLL 2 IoCs

Processes:

d7cfcefabc22cecb94af7cc290bef648.exe

pid process

768 d7cfcefabc22cecb94af7cc290bef648.exe
768 d7cfcefabc22cecb94af7cc290bef648.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

pid	process
1032	servs.exe
1100	rvs.exe

pid	process
768	d7cfcefabc22cecb94af7cc290bef648.exe
768	d7cfcefabc22cecb94af7cc290bef648.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FCAA32B1-AFCB-11EB-AB32-6E76A0352788} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f0000000002000000000010660000000100002000000032d5d802542f58b4dbb07d1adc67de51e244b233e4e282d7cb9af7729aa4ff0a000000000e8000000002000020000000f93304b70588a7ff47cdeef89a5731bdb04856d55b5ae78d189b76a2c568763f9000000049eeb5734c7355638e6a2877602e0cc42fd6b9048200b18b4e220aac4bdda4f0043d097b4217a86bdcb81a8f01173f5548c528400f2b556b2ab9b7e19ddc32e6f2d2d16ee8b7938e406f5b4ccf23dec22b049cb3ff814e16f5588f9c8cfbf9ef9467f8183eea09fcd38a98e1a298238b6beae0adf5c7a5d03ffec80b8d925a021e5154a43591ab40237d2da8120173ea40000000fbd47f68b6035adcf4c2f750013fbe88f94d119b08b9c1c255e2788dca5822b28f2410a6b55ec4b5e69bd1d281e53a1881f662c00727367da25ad357f9df1f5b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "327222596"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\secure-robinhood.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50523ed4d843d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage\secure-robinhood.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000ae1075a56406ab790489e01da20a372b7e30135f05372d2007cedbe1aece24cb000000000e80000000020000200000002eea6d8110eabf17f382fa6f3df2949f8f848a098f3d7e65aa0b928de25cc9a620000000d62bd64f10a51942f3a9d92f27af179344b40fd15195c15c6070b342718ce7ae4000000050d569a10d89c3289116babe83cf540ce5826c064389f989938e75becd73bc8c7b80c4b0744db6628461453e7f971af3ea67f6f1429dbfe25ae5bba4cef73cdc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

d7cfcefabc22cecb94af7cc290bef648.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	d7cfcefabc22cecb94af7cc290bef648.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d7cfcefabc22cecb94af7cc290bef648.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	d7cfcefabc22cecb94af7cc290bef648.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

d7cfcefabc22cecb94af7cc290bef648.exeservs.exe

pid process

768 d7cfcefabc22cecb94af7cc290bef648.exe
1032 servs.exe
1032 servs.exe

pid	process
768	d7cfcefabc22cecb94af7cc290bef648.exe
1032	servs.exe
1032	servs.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

d7cfcefabc22cecb94af7cc290bef648.exeservs.exervs.exeIEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	768	d7cfcefabc22cecb94af7cc290bef648.exe
Token: SeDebugPrivilege	1032	servs.exe
Token: SeDebugPrivilege	1100	rvs.exe
Token: 33	1608	IEXPLORE.EXE
Token: SeIncBasePriorityPrivilege	1608	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exeiexplore.exe

pid process

340 iexplore.exe
928 iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

Processes:

iexplore.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
340	iexplore.exe
340	iexplore.exe
928	iexplore.exe
928	iexplore.exe
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

d7cfcefabc22cecb94af7cc290bef648.exeiexplore.exeiexplore.exe

description	pid	process	target process
PID 768 wrote to memory of 340	768	d7cfcefabc22cecb94af7cc290bef648.exe	iexplore.exe
PID 768 wrote to memory of 340	768	d7cfcefabc22cecb94af7cc290bef648.exe	iexplore.exe
PID 768 wrote to memory of 340	768	d7cfcefabc22cecb94af7cc290bef648.exe	iexplore.exe
PID 768 wrote to memory of 340	768	d7cfcefabc22cecb94af7cc290bef648.exe	iexplore.exe
PID 768 wrote to memory of 928	768	d7cfcefabc22cecb94af7cc290bef648.exe	iexplore.exe
PID 768 wrote to memory of 928	768	d7cfcefabc22cecb94af7cc290bef648.exe	iexplore.exe
PID 768 wrote to memory of 928	768	d7cfcefabc22cecb94af7cc290bef648.exe	iexplore.exe
PID 768 wrote to memory of 928	768	d7cfcefabc22cecb94af7cc290bef648.exe	iexplore.exe
PID 340 wrote to memory of 1652	340	iexplore.exe	IEXPLORE.EXE
PID 340 wrote to memory of 1652	340	iexplore.exe	IEXPLORE.EXE
PID 340 wrote to memory of 1652	340	iexplore.exe	IEXPLORE.EXE
PID 340 wrote to memory of 1652	340	iexplore.exe	IEXPLORE.EXE
PID 928 wrote to memory of 1608	928	iexplore.exe	IEXPLORE.EXE
PID 928 wrote to memory of 1608	928	iexplore.exe	IEXPLORE.EXE
PID 928 wrote to memory of 1608	928	iexplore.exe	IEXPLORE.EXE
PID 928 wrote to memory of 1608	928	iexplore.exe	IEXPLORE.EXE
PID 768 wrote to memory of 1032	768	d7cfcefabc22cecb94af7cc290bef648.exe	servs.exe
PID 768 wrote to memory of 1032	768	d7cfcefabc22cecb94af7cc290bef648.exe	servs.exe
PID 768 wrote to memory of 1032	768	d7cfcefabc22cecb94af7cc290bef648.exe	servs.exe
PID 768 wrote to memory of 1032	768	d7cfcefabc22cecb94af7cc290bef648.exe	servs.exe
PID 768 wrote to memory of 1100	768	d7cfcefabc22cecb94af7cc290bef648.exe	rvs.exe
PID 768 wrote to memory of 1100	768	d7cfcefabc22cecb94af7cc290bef648.exe	rvs.exe
PID 768 wrote to memory of 1100	768	d7cfcefabc22cecb94af7cc290bef648.exe	rvs.exe
PID 768 wrote to memory of 1100	768	d7cfcefabc22cecb94af7cc290bef648.exe	rvs.exe
PID 768 wrote to memory of 1100	768	d7cfcefabc22cecb94af7cc290bef648.exe	rvs.exe
PID 768 wrote to memory of 1100	768	d7cfcefabc22cecb94af7cc290bef648.exe	rvs.exe
PID 768 wrote to memory of 1100	768	d7cfcefabc22cecb94af7cc290bef648.exe	rvs.exe

C:\Users\Admin\AppData\Local\Temp\d7cfcefabc22cecb94af7cc290bef648.exe
"C:\Users\Admin\AppData\Local\Temp\d7cfcefabc22cecb94af7cc290bef648.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1sGYs7
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:340

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:340 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://secure-robinhood.com/
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:928

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:928 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Users\Admin\AppData\Local\Temp\servs.exe
"C:\Users\Admin\AppData\Local\Temp\servs.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Users\Admin\AppData\Local\Temp\rvs.exe
"C:\Users\Admin\AppData\Local\Temp\rvs.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
15775d95513782f99cdfb17e65dfceb1

SHA1
6c11f8bee799b093f9ff4841e31041b081b23388

SHA256
477a9559194edf48848fce59e05105168745a46bdc0871ea742a2588ca9fbe00

SHA512
ac09ce01122d7a837bd70277badd58ff71d8c5335f8fc599d5e3ed42c8fee2108dd043bce562c82ba12a81b9b08bd24b961c0961bf8fd3a0b8341c87483cd1e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
ecb20992a09c894ecb3668e23ee28a96

SHA1
9f212ae39fdf9cd1736aa1ee8a20e413d42efaa6

SHA256
463ea3ff5136b83da43a2ac6f241cdd01db819cd33d9eb36dfc077c46d069681

SHA512
e475be83a174d19daf30a7fe54fdf4a90398177f7c3c1a712f4bd5dd6a7fa234ec0664c822551c5dcfabb8eedfb547d0a8a8c14c6ba1210bca1103e89a25967c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
1356edc22dba979cdca3e7343459c1c4

SHA1
965c411fa47483007d46425c069b45bb43b5bba9

SHA256
d0e399d2f2eea487945c53358cb598a835822f9f5d03f61a2eaaa36c5684f777

SHA512
4ed399ce1c2122d9be86b46d65a801f08dd4c55de54c026be7b464b5faae011fd196b10cb5eedead2174cdd5ce899884823b9f155c7d09945c41081803028e51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
eefe6846331d02b75534a830ba32685c

SHA1
66777b0dab3b8f98e599178a2a4283758668232d

SHA256
24ef5280be7325d08a30829653b5f853fa29723710676471ce0592a0383f4792

SHA512
bd2236602f876dffc94347b6e6ca19cc648fa28afcd95602f56e13206652e36b4a2b7c92fb0bc54e15b589eae2d8f0ea32d6a87378135aaad0612ced7ea61469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FCA56FF1-AFCB-11EB-AB32-6E76A0352788}.dat
MD5
5aeadbb96c47eae452e3c2312d322118

SHA1
b22c081b6a25f282945f53b4b2a1937bb00a9c4f

SHA256
4e59bec249e9778dfee59b62cf024d5f6659d5fb1edc7d07c230b37f70295876

SHA512
232bcb59a377f7e3777777bb94c9a47664046f0642975ad3fe153e1db716e56897f51e8c397d55a6812db0da51dba0e05f6f732d560063dd0ad0299e783b8f6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FCAA32B1-AFCB-11EB-AB32-6E76A0352788}.dat
MD5
48f2d95c5e51dacc43588cd78943241b

SHA1
2c7ad31b21092378860064f1869e6f996dcb6f15

SHA256
564a9281a309030ac0ac76e20fff15848689109fdaf48521e28a489e3577619e

SHA512
9f113c86c00af3e63c8c44e5b376602c48a69a5a7edcf93a91c60e6ca5f47b6c60a1eb17cba8dae68437d77bfddb33b80852552bccef49a59adc7d52b4e0090f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
d24e8c42e4073d3d9690f00b5d157e56

SHA1
ee43cf1607e1378bb921aca8ef7ce68f4c3424cb

SHA256
bd53eb0450c18e5118b81923cafb6d8679a4e96c4d60f4d38f7c14663e304e07

SHA512
3247fb286f172cc079acd850d7191af66c9f327d0d1c76ae394bc426ee4b3443f15754ec91a6a4bca49170d794fbca4a3df70c54ba69cd937a75a4bfe51d4718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
addc4282760b2e5c1bed68c3b25ff4ba

SHA1
f2a71d0ef655df7274620c51d29c41fc781686d2

SHA256
715517e3665ed0c3cc852e870c801de8e7ccd56f6572bad51b71648bd2234493

SHA512
be94827e7416654c990866cbe89c79163e70ba640d614f6ac25430834edd57e109a9b86ac15ea5aa2f57641f58a87c3f1d312c854873d5391371299186dd32f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvs.exe
MD5
830791e50ebd569c3169a7860455dde9

SHA1
decc913ea54066aca3bfd0e3bc791b3e10840eb5

SHA256
5b2c3cc04375edc534a731821cefd6563d358035ed737ceb66f69b0f54077a66

SHA512
b50ce56df27fb5dc8a8645e5131821e6d3d9cf4589510e004f0a9fb212e1a7fdc35831109a7f5067856aa0f0b901fbea112799a9badbdfa4100c51852004ed9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rvs.exe
MD5
830791e50ebd569c3169a7860455dde9

SHA1
decc913ea54066aca3bfd0e3bc791b3e10840eb5

SHA256
5b2c3cc04375edc534a731821cefd6563d358035ed737ceb66f69b0f54077a66

SHA512
b50ce56df27fb5dc8a8645e5131821e6d3d9cf4589510e004f0a9fb212e1a7fdc35831109a7f5067856aa0f0b901fbea112799a9badbdfa4100c51852004ed9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\servs.exe
MD5
14c4511f1f708818203e97f28adcb422

SHA1
e92fe1d751db00e1a78e62383884ed50ad7562b1

SHA256
4cd909b0c0733cb1191dcbb20ef2a62683873c902c0ae037f33c6cb779a34be5

SHA512
8d1907ebbbd6b856767a37ca385a74cfdd1265303e245ec4656a9f5812b79a0cc4730e4dec66fffca8346e32c80144ce724b118bed1f4a7acd92876d6f4ffcf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\8ERKTOKG.txt
MD5
1b2178071740912d7204d71c516612fa

SHA1
4ade32b4cb39c0c648d0ba25a07692fc31b4738a

SHA256
450e47cf59c6d4c755e31953d9efaa027cc9169c3d4eff4b4fae4326f329982a

SHA512
816c2e6244a2d66f5e8e609c896d0a6c7de87661a3471fe3d4a0a9cabd62a9a7c8ff30f9e18672a1cc222ca22f58a15c1e14b1c8172983120ada4b9a3b0ed726

Download Submit
\Users\Admin\AppData\Local\Temp\rvs.exe
MD5
830791e50ebd569c3169a7860455dde9

SHA1
decc913ea54066aca3bfd0e3bc791b3e10840eb5

SHA256
5b2c3cc04375edc534a731821cefd6563d358035ed737ceb66f69b0f54077a66

SHA512
b50ce56df27fb5dc8a8645e5131821e6d3d9cf4589510e004f0a9fb212e1a7fdc35831109a7f5067856aa0f0b901fbea112799a9badbdfa4100c51852004ed9e

Download Submit
\Users\Admin\AppData\Local\Temp\servs.exe
MD5
14c4511f1f708818203e97f28adcb422

SHA1
e92fe1d751db00e1a78e62383884ed50ad7562b1

SHA256
4cd909b0c0733cb1191dcbb20ef2a62683873c902c0ae037f33c6cb779a34be5

SHA512
8d1907ebbbd6b856767a37ca385a74cfdd1265303e245ec4656a9f5812b79a0cc4730e4dec66fffca8346e32c80144ce724b118bed1f4a7acd92876d6f4ffcf2

Download Submit
memory/340-67-0x000007FEFC181000-0x000007FEFC183000-memory.dmp

Filesize
8KB

Download
memory/340-66-0x0000000000000000-mapping.dmp

Download
memory/340-69-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/768-62-0x0000000004881000-0x0000000004882000-memory.dmp

Filesize
4KB

Download
memory/768-60-0x0000000000680000-0x000000000069E000-memory.dmp

Filesize
120KB

Download
memory/768-64-0x0000000004883000-0x0000000004884000-memory.dmp

Filesize
4KB

Download
memory/768-65-0x0000000004884000-0x0000000004886000-memory.dmp

Filesize
8KB

Download
memory/768-63-0x0000000004882000-0x0000000004883000-memory.dmp

Filesize
4KB

Download
memory/768-61-0x0000000002000000-0x000000000201D000-memory.dmp

Filesize
116KB

Download
memory/928-68-0x0000000000000000-mapping.dmp

Download
memory/1032-82-0x0000000004931000-0x0000000004932000-memory.dmp

Filesize
4KB

Download
memory/1032-84-0x0000000004933000-0x0000000004934000-memory.dmp

Filesize
4KB

Download
memory/1032-78-0x0000000000000000-mapping.dmp

Download
memory/1032-80-0x0000000001E20000-0x0000000001E3E000-memory.dmp

Filesize
120KB

Download
memory/1032-83-0x0000000004932000-0x0000000004933000-memory.dmp

Filesize
4KB

Download
memory/1032-81-0x0000000001F30000-0x0000000001F4D000-memory.dmp

Filesize
116KB

Download
memory/1032-85-0x0000000004934000-0x0000000004936000-memory.dmp

Filesize
8KB

Download
memory/1100-92-0x00000000048C0000-0x00000000048C1000-memory.dmp

Filesize
4KB

Download
memory/1100-90-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/1100-87-0x0000000000000000-mapping.dmp

Download
memory/1608-71-0x0000000000000000-mapping.dmp

Download
memory/1652-70-0x0000000000000000-mapping.dmp

Download
memory/1652-74-0x0000000002200000-0x0000000002202000-memory.dmp

Filesize
8KB

Download
memory/1652-72-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download