redline | fb68afd0254bcaad62a35fe249e9bbcbd10697e900473676576c7fd6c859a293

Analysis

max time kernel
120s
max time network
141s
platform
windows7_x64
resource
win7v20210410
submitted
03-07-2021 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0c5664aa4a6a4f84d1d8af648c10b8c.exe
Size

685KB
MD5

a0c5664aa4a6a4f84d1d8af648c10b8c
SHA1

59ae34134303fa91101159f632e681560391b3d4
SHA256

fb68afd0254bcaad62a35fe249e9bbcbd10697e900473676576c7fd6c859a293
SHA512

44f4e3268dfd1e72dd878e8b5c0a4433925d26ceb573d32eb8e931a1a32a75d5e2a681d5417ddfc01eeedb9e300e17816b3522023f453faf9baedda29856516f

Score

10^/10

redline vidar 890 build1 discovery evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

890

https://sergeevih43.tumblr.com

Attributes

profile_id
890

Extracted

Family

redline

Botnet

build1

185.244.182.34:32068

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2128-111-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2128-112-0x0000000000417EDA-mapping.dmp	family_redline
behavioral1/memory/2128-114-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral1/memory/848-88-0x00000000006B0000-0x000000000074D000-memory.dmp	family_vidar
behavioral1/memory/848-89-0x0000000000400000-0x0000000000636000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

File.exerun.exerun2.exerun2.exe

pid process

1964 File.exe
848 run.exe
592 run2.exe
2128 run2.exe

pid	process
1964	File.exe
848	run.exe
592	run2.exe
2128	run2.exe

Loads dropped DLL 11 IoCs

Processes:

a0c5664aa4a6a4f84d1d8af648c10b8c.exeFile.exerun.exe

pid	process
1684	a0c5664aa4a6a4f84d1d8af648c10b8c.exe
1684	a0c5664aa4a6a4f84d1d8af648c10b8c.exe
1684	a0c5664aa4a6a4f84d1d8af648c10b8c.exe
1684	a0c5664aa4a6a4f84d1d8af648c10b8c.exe
1964	File.exe
1964	File.exe
1964	File.exe
848	run.exe
848	run.exe
848	run.exe
848	run.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

a0c5664aa4a6a4f84d1d8af648c10b8c.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a0c5664aa4a6a4f84d1d8af648c10b8c.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

run2.exe

description pid process target process

PID 592 set thread context of 2128 592 run2.exe run2.exe

description	pid	process	target process
PID 592 set thread context of 2128	592	run2.exe	run2.exe

autoit_exe 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe
\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

run.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	run.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	run.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2080 timeout.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

528 taskkill.exe

pid	process
2080	timeout.exe

pid	process
528	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "332035286"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f0000000002000000000010660000000100002000000084b24606646ab22b6249750ab6407a936f4047f5433b1ff57ec293174b141d5e000000000e8000000002000020000000e9ebf361310b9fa908f26e9c4df026cefcc8b26c5f7c2828ae48a908f27f4927200000000aebfbad4db8882aa5ca6fcae11f69f8bf26860127a70549be0301f16e2fc929400000006fa3359e68875ab8b253c27914721e90c07de70cafb7113ba81f0cece2627bfef3992b5bb9b292c3f9384ad8d42ea6f8021843402f6ad3002d31c6bc83326651	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{673F56E1-DB91-11EB-B85A-F2B989C9245F} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20daf53c9e6fd701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f00000000020000000000106600000001000020000000cafa14640de42dab7fc6306c5c2f8b7d3a5760798b93351423ffe0ff0dcf8eec000000000e8000000002000020000000fb993e954a9c8ae1ee258ad9f3b8febc419be44f8ce2d625dc045e0ea0e4f02f90000000f6ec13962cb7ad66b463c3c7980b7f5a7a9ffe74499340f962af46d32d16c9da61b45688649c25e75b38ae36e65ef39ab0db647cbbb031f65cb707a72f000ad4df09884b8016aa81e16c982a2877dca7a41c03fe82f1bd9899e897e1ec7575fe98b9fa6169e45391950d21fe1547f66c1e72ff79f8e0fbc6d132a64bb9d9b0f679ebf9cecab869ec17bb662658a152ae40000000eda0f506f348e9164c4e6a64dfffd46524dfc4d2addf43574b2e601120a2c1e73b97ceb3f085c251a90770aee52163b794b704ec4565a2d773a3c8fcd7ec32cd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

run.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	run.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	run.exe

NTFS ADS 3 IoCs

Processes:

IEXPLORE.EXE

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\www3A06.tmp\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\fpus.url\:favicon:$DATA	IEXPLORE.EXE
File created	C:\Users\Admin\AppData\Local\Temp\RarSFX0\fpus.url:favicon	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

run.exerun2.exe

pid process

848 run.exe
848 run.exe
848 run.exe
848 run.exe
2128 run2.exe
2128 run2.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

taskkill.exerun2.exerun2.exe

description pid process

Token: SeDebugPrivilege 528 taskkill.exe
Token: SeDebugPrivilege 592 run2.exe
Token: SeDebugPrivilege 2128 run2.exe
Suspicious use of FindShellTrayWindow 7 IoCs

Processes:

File.exeiexplore.exe

pid process

1964 File.exe
1964 File.exe
1964 File.exe
1964 File.exe
1964 File.exe
1964 File.exe
1504 iexplore.exe
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

File.exe

pid process

1964 File.exe
1964 File.exe
1964 File.exe
1964 File.exe
1964 File.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1504 iexplore.exe
1504 iexplore.exe
1452 IEXPLORE.EXE
1452 IEXPLORE.EXE
1452 IEXPLORE.EXE
1452 IEXPLORE.EXE

pid	process
848	run.exe
848	run.exe
848	run.exe
848	run.exe
2128	run2.exe
2128	run2.exe

description	pid	process
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	592	run2.exe
Token: SeDebugPrivilege	2128	run2.exe

pid	process
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1504	iexplore.exe

pid	process
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe
1964	File.exe

pid	process
1504	iexplore.exe
1504	iexplore.exe
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 37 IoCs

Processes:

a0c5664aa4a6a4f84d1d8af648c10b8c.exeFile.exeiexplore.exerun.execmd.exerun2.exe

description	pid	process	target process
PID 1684 wrote to memory of 1964	1684	a0c5664aa4a6a4f84d1d8af648c10b8c.exe	File.exe
PID 1684 wrote to memory of 1964	1684	a0c5664aa4a6a4f84d1d8af648c10b8c.exe	File.exe
PID 1684 wrote to memory of 1964	1684	a0c5664aa4a6a4f84d1d8af648c10b8c.exe	File.exe
PID 1684 wrote to memory of 1964	1684	a0c5664aa4a6a4f84d1d8af648c10b8c.exe	File.exe
PID 1964 wrote to memory of 848	1964	File.exe	run.exe
PID 1964 wrote to memory of 848	1964	File.exe	run.exe
PID 1964 wrote to memory of 848	1964	File.exe	run.exe
PID 1964 wrote to memory of 848	1964	File.exe	run.exe
PID 1964 wrote to memory of 592	1964	File.exe	run2.exe
PID 1964 wrote to memory of 592	1964	File.exe	run2.exe
PID 1964 wrote to memory of 592	1964	File.exe	run2.exe
PID 1964 wrote to memory of 592	1964	File.exe	run2.exe
PID 1504 wrote to memory of 1452	1504	iexplore.exe	IEXPLORE.EXE
PID 1504 wrote to memory of 1452	1504	iexplore.exe	IEXPLORE.EXE
PID 1504 wrote to memory of 1452	1504	iexplore.exe	IEXPLORE.EXE
PID 1504 wrote to memory of 1452	1504	iexplore.exe	IEXPLORE.EXE
PID 848 wrote to memory of 672	848	run.exe	cmd.exe
PID 848 wrote to memory of 672	848	run.exe	cmd.exe
PID 848 wrote to memory of 672	848	run.exe	cmd.exe
PID 848 wrote to memory of 672	848	run.exe	cmd.exe
PID 672 wrote to memory of 528	672	cmd.exe	taskkill.exe
PID 672 wrote to memory of 528	672	cmd.exe	taskkill.exe
PID 672 wrote to memory of 528	672	cmd.exe	taskkill.exe
PID 672 wrote to memory of 528	672	cmd.exe	taskkill.exe
PID 672 wrote to memory of 2080	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 2080	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 2080	672	cmd.exe	timeout.exe
PID 672 wrote to memory of 2080	672	cmd.exe	timeout.exe
PID 592 wrote to memory of 2128	592	run2.exe	run2.exe
PID 592 wrote to memory of 2128	592	run2.exe	run2.exe
PID 592 wrote to memory of 2128	592	run2.exe	run2.exe
PID 592 wrote to memory of 2128	592	run2.exe	run2.exe
PID 592 wrote to memory of 2128	592	run2.exe	run2.exe
PID 592 wrote to memory of 2128	592	run2.exe	run2.exe
PID 592 wrote to memory of 2128	592	run2.exe	run2.exe
PID 592 wrote to memory of 2128	592	run2.exe	run2.exe
PID 592 wrote to memory of 2128	592	run2.exe	run2.exe

C:\Users\Admin\AppData\Local\Temp\a0c5664aa4a6a4f84d1d8af648c10b8c.exe
"C:\Users\Admin\AppData\Local\Temp\a0c5664aa4a6a4f84d1d8af648c10b8c.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
PID:1684

C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964

C:\Users\Public\run.exe
C:\Users\Public\run.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im run.exe /f & timeout /t 6 & del /f /q "C:\Users\Public\run.exe" & del C:\ProgramData\*.dll & exit
4⤵
- Suspicious use of WriteProcessMemory
PID:672

C:\Windows\SysWOW64\taskkill.exe
taskkill /im run.exe /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:2080

C:\Users\Public\run2.exe
C:\Users\Public\run2.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Public\run2.exe
C:\Users\Public\run2.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1504 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1452

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\freebl3.dll
MD5
ef2834ac4ee7d6724f255beaf527e635

SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b

SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba

SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2

Download Submit
C:\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
C:\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\ProgramData\softokn3.dll
MD5
a2ee53de9167bf0d6c019303b7ca84e5

SHA1
2a3c737fa1157e8483815e98b666408a18c0db42

SHA256
43536adef2ddcc811c28d35fa6ce3031029a2424ad393989db36169ff2995083

SHA512
45b56432244f86321fa88fbcca6a0d2a2f7f4e0648c1d7d7b1866adc9daa5eddd9f6bb73662149f279c9ab60930dad1113c8337cb5e6ec9eed5048322f65f7d8

Download Submit
C:\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
12723304ff64e511329733a90d2e7103

SHA1
80bf45be94d205c9ef1caa8bfa518535208fcfca

SHA256
52997056bdb065f2445007c21ce1f08c3974658f4e3a14058e26560d23117db0

SHA512
29f76617e858fd482c8d3ec9b87fc37e23f7a050138cb7e9cbb5e6756f9d0a60d35ef6d6dfbc9ce28474259741f545472166e9fb1bd938deffc0969951494422

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
e2f4a6c57e0145c7051dd32e5d4a12e8

SHA1
3122b2d1915ee4788517dc2f1a01419c1450ac51

SHA256
ba16fcab364303681ec46d72d270a3e219697b48d6ec8f207ed4550b9d01d17a

SHA512
75b795460e38f1893603aabdf6b75dc227457bb1dabf58c50094a97ea52b5207d5e387715d467f96e1747e5bf04d3a45829065fb12362f17a068a2b1addde124

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
089cd641f9bd893034b9f116049f46c5

SHA1
552a87b133407664233cc43c4afa0a7015860675

SHA256
17ff84393cdf39c748db28dbafc6f56477dff267b0da8d2e7335e77212c2cf21

SHA512
8575647cd18442ffaa64475180835342974929616c3be0ea9f0a46b98f97b99aef1a4297c5cbca5312c7791b68772b8192e9d953b7a84720a01c88c7a182186f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
a1480d78d9342fb933a2ba4f8fbdcdc4

SHA1
cd350b835a1895d098637690d07824dac7739cbc

SHA256
0dd6d85c667bd50b3ded7585ada65ef309dc008aea820630961867464b4fceaf

SHA512
b278e849ea61fe4612d885cabb3fc72d93b9d5d88e3fa434420e7f486571f2d02b09a400fd3a036bf5ab39d15ff71288f4f6107bf884c0f6f60d2ed889904216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
9529701eb76c7196b1fd36a6479aa1d1

SHA1
429409396a8bfe2be2923bbde84f9623d358718a

SHA256
4c92a9717ade17e7267c0dd6f772b0e9382faa47d0e26d876f7c4c565f1752e0

SHA512
09a15ad11859587465225d44a676b8a55fe208deb82e1a6007b0347c5aa131616c1ccf587320599b0e97283b7fcb027910b2a3c29651a184199b6bce237e8c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sgyae4t\imagestore.dat
MD5
62d5f61f084c4232f09d0312bbcb4808

SHA1
3dfa8a974f05fe0ccc91883d2ea5a9129196eaff

SHA256
b4a347ceb97221badf353c7770f1a2e0b568094c8ac4c2b34897f9dfdc4f0cf3

SHA512
4896b0230041bce2d58ac53c34bc2469d37ec92ab3e8747a4cc37cb33a70ec1ee88ba480c77979d49af527ff735e74447a742ad1cec29a79166008e8dfd65e95

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\fpus.url
MD5
cffa946e626b11e6b7c4f6c8b04b0a79

SHA1
9117265f029e013181adaa80e9df3e282f1f11ae

SHA256
63a7a47e615966f06914b658f82bf2a3eac30a686ac2225805a0eedf0bba8166

SHA512
c52fbef9fbfd6a921c3cc183ee71907bbacf6d10ef822299f76af1de755427d49068829167d6cbf5175930d113bc60712fe32b548dae40aa4594d4fb3baee9b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\X3N66S3U.txt
MD5
85c8354b24d06cabf94af2edd6b20135

SHA1
5f449d7038cd9c28fb7ea78a8cd7bdd0dbeb888b

SHA256
eed09da05e3846fb9b0fe4f967015f83a01c98a0734a374112341122b4b82fe0

SHA512
2be7f4ccb137df9537e18967e3a3b3d77ffe449cc5a21f366c84f6483cbe45c07e7a06efa8ddf62abc6b91540af1ef93f4b67946132ffc64ee7386c47f6c6537

Download Submit
C:\Users\Public\run.exe
MD5
dbda4dcfaea632d008434a94928058a1

SHA1
5f8ff4e123e7e23c88479660adcd4a73ef6a5a31

SHA256
ffba2354a29c3cff94d61abbe2d63b52b431b4a8ad2d6b3e3766e41f86b39dc7

SHA512
3050174951def6a868ce8a16840c23785ecbef360bbb022ad871a3a799eb071996535dc776ea3f8fccd4a7edd44fbd20ad6cf0da1af254903f4e5c247853e220

Download Submit
C:\Users\Public\run.exe
MD5
dbda4dcfaea632d008434a94928058a1

SHA1
5f8ff4e123e7e23c88479660adcd4a73ef6a5a31

SHA256
ffba2354a29c3cff94d61abbe2d63b52b431b4a8ad2d6b3e3766e41f86b39dc7

SHA512
3050174951def6a868ce8a16840c23785ecbef360bbb022ad871a3a799eb071996535dc776ea3f8fccd4a7edd44fbd20ad6cf0da1af254903f4e5c247853e220

Download Submit
C:\Users\Public\run2.exe
MD5
cbbfe40c56b1ae876a0770fa21f3c265

SHA1
280d4006fc0ef090afe5ee6122f699cea52dc01f

SHA256
cae8c2fe828f1049192c3cd97b0a918222d8450027afdfe683ac6c4651f6da21

SHA512
5ca292eef462b8f9f9ccaa2be142ba7cb2e436a7a1578b4527d9002950309a78a9b01ae34db16e3259d508ca78e7bfeb2ab2f09953044ee101d04b1ce229184a

Download Submit
C:\Users\Public\run2.exe
MD5
cbbfe40c56b1ae876a0770fa21f3c265

SHA1
280d4006fc0ef090afe5ee6122f699cea52dc01f

SHA256
cae8c2fe828f1049192c3cd97b0a918222d8450027afdfe683ac6c4651f6da21

SHA512
5ca292eef462b8f9f9ccaa2be142ba7cb2e436a7a1578b4527d9002950309a78a9b01ae34db16e3259d508ca78e7bfeb2ab2f09953044ee101d04b1ce229184a

Download Submit
C:\Users\Public\run2.exe
MD5
cbbfe40c56b1ae876a0770fa21f3c265

SHA1
280d4006fc0ef090afe5ee6122f699cea52dc01f

SHA256
cae8c2fe828f1049192c3cd97b0a918222d8450027afdfe683ac6c4651f6da21

SHA512
5ca292eef462b8f9f9ccaa2be142ba7cb2e436a7a1578b4527d9002950309a78a9b01ae34db16e3259d508ca78e7bfeb2ab2f09953044ee101d04b1ce229184a

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\msvcp140.dll
MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\ProgramData\vcruntime140.dll
MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\File.exe
MD5
954264f2ba5b24bbeecb293be714832c

SHA1
fde3ad6e6d8ab951b002c7ca17e867bf3c1d9ba0

SHA256
db5906a6a58c5f7e8991fb5c3a7201843142844650eb5b89bdf89094aba9e96c

SHA512
8fb15e5888d713e10df04b64c0a24250547a978eac9a7b25d653c343f01afc204fa661937a76644a2dcd3f5b65225450d3aaecb67014125a50722df21467ee53

Download Submit
\Users\Public\run.exe
MD5
dbda4dcfaea632d008434a94928058a1

SHA1
5f8ff4e123e7e23c88479660adcd4a73ef6a5a31

SHA256
ffba2354a29c3cff94d61abbe2d63b52b431b4a8ad2d6b3e3766e41f86b39dc7

SHA512
3050174951def6a868ce8a16840c23785ecbef360bbb022ad871a3a799eb071996535dc776ea3f8fccd4a7edd44fbd20ad6cf0da1af254903f4e5c247853e220

Download Submit
\Users\Public\run.exe
MD5
dbda4dcfaea632d008434a94928058a1

SHA1
5f8ff4e123e7e23c88479660adcd4a73ef6a5a31

SHA256
ffba2354a29c3cff94d61abbe2d63b52b431b4a8ad2d6b3e3766e41f86b39dc7

SHA512
3050174951def6a868ce8a16840c23785ecbef360bbb022ad871a3a799eb071996535dc776ea3f8fccd4a7edd44fbd20ad6cf0da1af254903f4e5c247853e220

Download Submit
\Users\Public\run2.exe
MD5
cbbfe40c56b1ae876a0770fa21f3c265

SHA1
280d4006fc0ef090afe5ee6122f699cea52dc01f

SHA256
cae8c2fe828f1049192c3cd97b0a918222d8450027afdfe683ac6c4651f6da21

SHA512
5ca292eef462b8f9f9ccaa2be142ba7cb2e436a7a1578b4527d9002950309a78a9b01ae34db16e3259d508ca78e7bfeb2ab2f09953044ee101d04b1ce229184a

Download Submit
memory/528-101-0x0000000000000000-mapping.dmp

Download
memory/592-85-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/592-75-0x0000000000000000-mapping.dmp

Download
memory/592-110-0x0000000000410000-0x0000000000419000-memory.dmp

Filesize
36KB

Download
memory/592-79-0x0000000000810000-0x0000000000811000-memory.dmp

Filesize
4KB

Download
memory/672-100-0x0000000000000000-mapping.dmp

Download
memory/848-88-0x00000000006B0000-0x000000000074D000-memory.dmp

Filesize
628KB

Download
memory/848-89-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/848-72-0x0000000000000000-mapping.dmp

Download
memory/1452-83-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/1452-81-0x0000000000000000-mapping.dmp

Download
memory/1504-78-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

Filesize
8KB

Download
memory/1684-60-0x0000000075011000-0x0000000075013000-memory.dmp

Filesize
8KB

Download
memory/1964-69-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/1964-65-0x0000000000000000-mapping.dmp

Download
memory/2080-102-0x0000000000000000-mapping.dmp

Download
memory/2128-111-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2128-112-0x0000000000417EDA-mapping.dmp

Download
memory/2128-114-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2128-116-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download