redline | b4804fd9d41771474066b3f4c0fd95b5e7a18ad5194b19f26197bfefda65c8ca

Analysis

max time kernel
155s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2022 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrivateHack.exe
Size

1.1MB
MD5

d6a2df8caa573872bbe9c8e8c59d6028
SHA1

0b8eda3c0f420a608347f7b76df017e75c2a6e42
SHA256

b4804fd9d41771474066b3f4c0fd95b5e7a18ad5194b19f26197bfefda65c8ca
SHA512

7d728cf075ed54f17a16d393ce38a885e7386799b3cc9edc250f6a961ee64bc040e2886ec22bf3ea0e99fa6f88ddf0fbb021ed96fc20c4b90b1b667f7f3e71f4

Score

10^/10

redline xmrig ytstealer infostealer miner persistence spyware stealer upx

Malware Config

Extracted

Family

redline

62.204.41.141:24758

Attributes

auth_value
2809e5944cfb3e2f786ac4a1217ad4a9

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/166184-131-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2956-166-0x0000000000CB0000-0x0000000001A89000-memory.dmp	family_ytstealer
behavioral2/memory/2956-183-0x0000000000CB0000-0x0000000001A89000-memory.dmp	family_ytstealer
behavioral2/memory/2956-215-0x0000000000CB0000-0x0000000001A89000-memory.dmp	family_ytstealer

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 1 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 5 IoCs

Processes:

MainModule.exestart.execrypted.exedllhost.exewinlogson.exe

pid process

3792 MainModule.exe
2956 start.exe
2148 crypted.exe
5252 dllhost.exe
6804 winlogson.exe

pid	process
3792	MainModule.exe
2956	start.exe
2148	crypted.exe
5252	dllhost.exe
6804	winlogson.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
behavioral2/memory/2956-166-0x0000000000CB0000-0x0000000001A89000-memory.dmp	upx
behavioral2/memory/2956-183-0x0000000000CB0000-0x0000000001A89000-memory.dmp	upx
behavioral2/memory/2956-215-0x0000000000CB0000-0x0000000001A89000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

PrivateHack.exe

description pid process target process

PID 4944 set thread context of 166184 4944 PrivateHack.exe AppLaunch.exe

description	pid	process	target process
PID 4944 set thread context of 166184	4944	PrivateHack.exe	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5924	schtasks.exe
5992	schtasks.exe
6032	schtasks.exe
6020	schtasks.exe
5972	schtasks.exe
5840	schtasks.exe
5856	schtasks.exe
5876	schtasks.exe
5908	schtasks.exe
5936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeMainModule.exepowershell.exepowershell.exepowershell.exedllhost.exestart.exe

pid	process
166184	AppLaunch.exe
3792	MainModule.exe
4244	powershell.exe
4244	powershell.exe
2140	powershell.exe
2140	powershell.exe
5124	powershell.exe
5124	powershell.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
2956	start.exe
2956	start.exe
2956	start.exe
2956	start.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe
5252	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

656

pid	process
656

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AppLaunch.exeMainModule.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	166184	AppLaunch.exe
Token: SeDebugPrivilege	3792	MainModule.exe
Token: SeDebugPrivilege	4244	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	5124	powershell.exe
Token: SeDebugPrivilege	5252	dllhost.exe
Token: SeLockMemoryPrivilege	6804	winlogson.exe
Token: SeLockMemoryPrivilege	6804	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

6804 winlogson.exe

pid	process
6804	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

PrivateHack.exeAppLaunch.exeMainModule.execmd.exedllhost.exe

description	pid	process	target process
PID 4944 wrote to memory of 166184	4944	PrivateHack.exe	AppLaunch.exe
PID 4944 wrote to memory of 166184	4944	PrivateHack.exe	AppLaunch.exe
PID 4944 wrote to memory of 166184	4944	PrivateHack.exe	AppLaunch.exe
PID 4944 wrote to memory of 166184	4944	PrivateHack.exe	AppLaunch.exe
PID 4944 wrote to memory of 166184	4944	PrivateHack.exe	AppLaunch.exe
PID 166184 wrote to memory of 3792	166184	AppLaunch.exe	MainModule.exe
PID 166184 wrote to memory of 3792	166184	AppLaunch.exe	MainModule.exe
PID 166184 wrote to memory of 3792	166184	AppLaunch.exe	MainModule.exe
PID 3792 wrote to memory of 1296	3792	MainModule.exe	cmd.exe
PID 3792 wrote to memory of 1296	3792	MainModule.exe	cmd.exe
PID 3792 wrote to memory of 1296	3792	MainModule.exe	cmd.exe
PID 1296 wrote to memory of 3228	1296	cmd.exe	chcp.com
PID 1296 wrote to memory of 3228	1296	cmd.exe	chcp.com
PID 1296 wrote to memory of 3228	1296	cmd.exe	chcp.com
PID 1296 wrote to memory of 4244	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 4244	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 4244	1296	cmd.exe	powershell.exe
PID 166184 wrote to memory of 2956	166184	AppLaunch.exe	start.exe
PID 166184 wrote to memory of 2956	166184	AppLaunch.exe	start.exe
PID 166184 wrote to memory of 2148	166184	AppLaunch.exe	crypted.exe
PID 166184 wrote to memory of 2148	166184	AppLaunch.exe	crypted.exe
PID 166184 wrote to memory of 2148	166184	AppLaunch.exe	crypted.exe
PID 1296 wrote to memory of 2140	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 2140	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 2140	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 5124	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 5124	1296	cmd.exe	powershell.exe
PID 1296 wrote to memory of 5124	1296	cmd.exe	powershell.exe
PID 3792 wrote to memory of 5252	3792	MainModule.exe	dllhost.exe
PID 3792 wrote to memory of 5252	3792	MainModule.exe	dllhost.exe
PID 3792 wrote to memory of 5252	3792	MainModule.exe	dllhost.exe
PID 5252 wrote to memory of 5312	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5312	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5312	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5332	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5332	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5332	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5364	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5364	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5364	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5400	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5400	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5400	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5420	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5420	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5420	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5452	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5452	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5452	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5484	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5484	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5484	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5528	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5528	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5528	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5580	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5580	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5580	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5612	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5612	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5612	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5684	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5684	5252	dllhost.exe	cmd.exe
PID 5252 wrote to memory of 5684	5252	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\PrivateHack.exe
"C:\Users\Admin\AppData\Local\Temp\PrivateHack.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:166184
- - C:\Users\Admin\AppData\Local\Temp\MainModule.exe
    "C:\Users\Admin\AppData\Local\Temp\MainModule.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3792
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1296
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:3228
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5124
  - - C:\ProgramData\Dllhost\dllhost.exe
      "C:\ProgramData\Dllhost\dllhost.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5252
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5312
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5332
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5364
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5400
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5936
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5420
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5876
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5484
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5908
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5452
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5528
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5924
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2852" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5612
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk2852" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:5992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3910" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5580
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3910" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:6032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4065" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1369" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        5⤵
        
        PID:5724
      - C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1369" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:6020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:6176
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:6224
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
        5⤵
        
        PID:6732
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        6⤵
        
        PID:6784
      - C:\ProgramData\Dllhost\winlogson.exe
        
        C:\ProgramData\Dllhost\winlogson.exe -c config.json
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:6804
- - C:\Users\Admin\AppData\Local\Temp\start.exe
    "C:\Users\Admin\AppData\Local\Temp\start.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2956
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\start.exe
      4⤵
      PID:6568
    - - C:\Windows\system32\choice.exe
        
        choice /C Y /N /D Y /T 0
        5⤵
        
        PID:6616
- - C:\Users\Admin\AppData\Local\Temp\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\crypted.exe"
    3⤵
    - Executes dropped EXE
    PID:2148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
953KB

MD5
7dadec75c72d9ca68ad351b147ce82d7

SHA1
258718e852b80a293ea8505b2946190dcb3cd806

SHA256
12deb4d3b58a9102ba0a9493ce1e2ea38a57a50214e1da4261b1e2b3d7f5539a

SHA512
655e72a33457425b08592b7db8ab62ed232114355079de20fca23535e69e59bef13e971f48af83a382070abbb7620499b32bd8da5ad6b79f0e5f8502266ccf0d

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
953KB

MD5
7dadec75c72d9ca68ad351b147ce82d7

SHA1
258718e852b80a293ea8505b2946190dcb3cd806

SHA256
12deb4d3b58a9102ba0a9493ce1e2ea38a57a50214e1da4261b1e2b3d7f5539a

SHA512
655e72a33457425b08592b7db8ab62ed232114355079de20fca23535e69e59bef13e971f48af83a382070abbb7620499b32bd8da5ad6b79f0e5f8502266ccf0d

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
7.9MB

MD5
ae6c92c8073b1239390369d3ed93538f

SHA1
a76ea83bdcfa472cd593363e9bb254df494a5577

SHA256
d8d0e8ce7d532250713c7ac9c3e3d144463ce9f47bbf5bd6fc3bb939c739c1a0

SHA512
59de08ea3849243addb3b6aaa2b3ebf71a271eee77239bea0dd190d446a6eec56fd7c5b4fa3668c14074f33f06ab1f011baa0ac2266f6d2d33eb59847841c350

Download Submit
C:\ProgramData\SystemFiles\config.json

Filesize
312B

MD5
3fd684964005aab765878c363f801709

SHA1
c9b70db2d5b0dae35122c167c5976c1e8460724a

SHA256
79a2f32ae67fce5aecafa7413fb4ba1534e6ad6f98ec5e2bfced5af824846a54

SHA512
f9e83aa7c34a7f40f300e8fbdbe7b01b0f230a2956f0697473aaa87ae574c9c17561855480e0edfe8a6c9cfa7681226c28db0314ade3e50902e759c784d4cf8f

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
0135fad955fc63c0bda02c79738bde6d

SHA1
5d0e42e685510b0cdac4922444879761df721ed2

SHA256
2b6400b92aa887cf003ed65eb7b9906051872e4056ba7ab31cb77812435f6792

SHA512
cf4fd82a90095f9b8259380d8f80fbf5b116925068c898d016cda6a9c4a194a8733261a67e99f18d8f6262c62d36c2d1f98c9dccdf60140918e960d369e757fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
341bb527313d82237ee6c59bb7f96651

SHA1
c1dbcdff3f7196cee0523b3c99ff2f5a2cea899e

SHA256
8f0f3e58c0121b6508617b9c6baef4862a7c851177a37751b975b770dd17b627

SHA512
d0fda2a48fe110bc62a21abca5c1d299e00ccffaefde80e9f2d86a789b2f727f46a6d9e617527d7e1636dbaccf1ff6d681380bd16d1471a6fa4974fa6d795cc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
aa46df1f5beea65fb8e5bda2b6981d1a

SHA1
d9bcea03fc2473e8bd44533bdf8c0cba92c55beb

SHA256
2463c5a9e93f6bae513544999cc8bd91048145b97e25d244212ee83116495f2f

SHA512
50b6509d408d2edee36ba6233689cf770ba467adaf8894164163d3ca5f4e7363a6e854a1f39a780cbbb30e12d7a9a04f229c1336679bf0938b87ff7ce2fb8d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
f558323a0bd928b28d92886c451422af

SHA1
f8fea1577dde45a7e64beb369c7dd5a82f4e63b0

SHA256
1c1b228eb1b74e7e6145bda0fbbfc085bd8161246261b86c2accc74c3db5cdce

SHA512
29081513b01c9e477c1c5c27b7e31900a78ad6644f88d5d8923b386574628ad5180cbfb0d57f8cc6d339adfa425fc0f1231f4285a33d033ea18373cdd1273465

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainModule.exe

Filesize
71KB

MD5
f558323a0bd928b28d92886c451422af

SHA1
f8fea1577dde45a7e64beb369c7dd5a82f4e63b0

SHA256
1c1b228eb1b74e7e6145bda0fbbfc085bd8161246261b86c2accc74c3db5cdce

SHA512
29081513b01c9e477c1c5c27b7e31900a78ad6644f88d5d8923b386574628ad5180cbfb0d57f8cc6d339adfa425fc0f1231f4285a33d033ea18373cdd1273465

Download Submit
C:\Users\Admin\AppData\Local\Temp\crypted.exe

Filesize
616KB

MD5
d95f63fa0b502ae717230d7392179e4b

SHA1
a8ea7f062f82967b349034d6e5879689dfe0785a

SHA256
3d7b54951fa0e3d98601ddde73932d4f0d0f82da51501266d6b7f78af3e12f04

SHA512
d8a82eb0468d9feec9d55bd9e0f71eec72f951144b0c4ca16b90d782029b94279d4647de8106f3740ec7cdc4a1bc92c66f73096c8a051aef2c2646914156defa

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
06103d1e931ea83afb5cac974113c513

SHA1
ef70b042a19addb747697ee3270e1723ff988f5c

SHA256
5fdd4b20a3a14e37444235668e7f641e776e76104db82a17608d6ab283057b63

SHA512
f97ea97ef1431baef2372a7499a76a1edd9494ea31d6544b456d77d18120b4fb73dbc494a36f022b13613c4c636beb59cfb23f96a3386e3f39e9be0e14e1060f

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
06103d1e931ea83afb5cac974113c513

SHA1
ef70b042a19addb747697ee3270e1723ff988f5c

SHA256
5fdd4b20a3a14e37444235668e7f641e776e76104db82a17608d6ab283057b63

SHA512
f97ea97ef1431baef2372a7499a76a1edd9494ea31d6544b456d77d18120b4fb73dbc494a36f022b13613c4c636beb59cfb23f96a3386e3f39e9be0e14e1060f

Download Submit
memory/1296-153-0x0000000000000000-mapping.dmp

Download
memory/2140-177-0x0000000000000000-mapping.dmp

Download
memory/2140-180-0x000000006DAF0000-0x000000006DB3C000-memory.dmp

Filesize
304KB

Download
memory/2148-164-0x0000000000000000-mapping.dmp

Download
memory/2956-166-0x0000000000CB0000-0x0000000001A89000-memory.dmp

Filesize
13.8MB

Download
memory/2956-183-0x0000000000CB0000-0x0000000001A89000-memory.dmp

Filesize
13.8MB

Download
memory/2956-215-0x0000000000CB0000-0x0000000001A89000-memory.dmp

Filesize
13.8MB

Download
memory/2956-161-0x0000000000000000-mapping.dmp

Download
memory/3228-154-0x0000000000000000-mapping.dmp

Download
memory/3792-148-0x0000000000000000-mapping.dmp

Download
memory/3792-151-0x0000000000C70000-0x0000000000C88000-memory.dmp

Filesize
96KB

Download
memory/3792-152-0x0000000003060000-0x000000000306A000-memory.dmp

Filesize
40KB

Download
memory/4244-156-0x0000000002900000-0x0000000002936000-memory.dmp

Filesize
216KB

Download
memory/4244-170-0x0000000007840000-0x0000000007EBA000-memory.dmp

Filesize
6.5MB

Download
memory/4244-159-0x00000000058C0000-0x0000000005926000-memory.dmp

Filesize
408KB

Download
memory/4244-158-0x0000000005720000-0x0000000005742000-memory.dmp

Filesize
136KB

Download
memory/4244-157-0x0000000004FA0000-0x00000000055C8000-memory.dmp

Filesize
6.2MB

Download
memory/4244-160-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/4244-155-0x0000000000000000-mapping.dmp

Download
memory/4244-176-0x0000000007440000-0x0000000007448000-memory.dmp

Filesize
32KB

Download
memory/4244-167-0x00000000064B0000-0x00000000064E2000-memory.dmp

Filesize
200KB

Download
memory/4244-168-0x000000006DAF0000-0x000000006DB3C000-memory.dmp

Filesize
304KB

Download
memory/4244-169-0x0000000006470000-0x000000000648E000-memory.dmp

Filesize
120KB

Download
memory/4244-175-0x0000000007450000-0x000000000746A000-memory.dmp

Filesize
104KB

Download
memory/4244-171-0x00000000071E0000-0x00000000071FA000-memory.dmp

Filesize
104KB

Download
memory/4244-172-0x0000000007240000-0x000000000724A000-memory.dmp

Filesize
40KB

Download
memory/4244-173-0x0000000007470000-0x0000000007506000-memory.dmp

Filesize
600KB

Download
memory/4244-174-0x0000000007400000-0x000000000740E000-memory.dmp

Filesize
56KB

Download
memory/5124-184-0x000000006DAF0000-0x000000006DB3C000-memory.dmp

Filesize
304KB

Download
memory/5124-181-0x0000000000000000-mapping.dmp

Download
memory/5252-188-0x00000000000B0000-0x00000000001A4000-memory.dmp

Filesize
976KB

Download
memory/5252-185-0x0000000000000000-mapping.dmp

Download
memory/5312-189-0x0000000000000000-mapping.dmp

Download
memory/5332-190-0x0000000000000000-mapping.dmp

Download
memory/5364-191-0x0000000000000000-mapping.dmp

Download
memory/5400-192-0x0000000000000000-mapping.dmp

Download
memory/5420-193-0x0000000000000000-mapping.dmp

Download
memory/5452-194-0x0000000000000000-mapping.dmp

Download
memory/5484-195-0x0000000000000000-mapping.dmp

Download
memory/5528-196-0x0000000000000000-mapping.dmp

Download
memory/5580-197-0x0000000000000000-mapping.dmp

Download
memory/5612-198-0x0000000000000000-mapping.dmp

Download
memory/5684-199-0x0000000000000000-mapping.dmp

Download
memory/5724-200-0x0000000000000000-mapping.dmp

Download
memory/5840-201-0x0000000000000000-mapping.dmp

Download
memory/5856-202-0x0000000000000000-mapping.dmp

Download
memory/5876-203-0x0000000000000000-mapping.dmp

Download
memory/5908-204-0x0000000000000000-mapping.dmp

Download
memory/5924-205-0x0000000000000000-mapping.dmp

Download
memory/5936-206-0x0000000000000000-mapping.dmp

Download
memory/5972-207-0x0000000000000000-mapping.dmp

Download
memory/5992-208-0x0000000000000000-mapping.dmp

Download
memory/6020-209-0x0000000000000000-mapping.dmp

Download
memory/6032-210-0x0000000000000000-mapping.dmp

Download
memory/6176-212-0x0000000000000000-mapping.dmp

Download
memory/6224-213-0x0000000000000000-mapping.dmp

Download
memory/6568-214-0x0000000000000000-mapping.dmp

Download
memory/6616-216-0x0000000000000000-mapping.dmp

Download
memory/6732-217-0x0000000000000000-mapping.dmp

Download
memory/6784-218-0x0000000000000000-mapping.dmp

Download
memory/6804-219-0x0000000000000000-mapping.dmp

Download
memory/6804-221-0x000001E6FF500000-0x000001E6FF520000-memory.dmp

Filesize
128KB

Download
memory/6804-223-0x000001E6FF550000-0x000001E6FF590000-memory.dmp

Filesize
256KB

Download
memory/6804-224-0x000001E6FF5A0000-0x000001E6FF5C0000-memory.dmp

Filesize
128KB

Download
memory/166184-143-0x0000000005830000-0x000000000584E000-memory.dmp

Filesize
120KB

Download
memory/166184-138-0x0000000007560000-0x000000000766A000-memory.dmp

Filesize
1.0MB

Download
memory/166184-141-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/166184-142-0x0000000008530000-0x0000000008AD4000-memory.dmp

Filesize
5.6MB

Download
memory/166184-137-0x0000000007430000-0x0000000007442000-memory.dmp

Filesize
72KB

Download
memory/166184-130-0x0000000000000000-mapping.dmp

Download
memory/166184-140-0x0000000005670000-0x00000000056E6000-memory.dmp

Filesize
472KB

Download
memory/166184-139-0x00000000053F0000-0x000000000542C000-memory.dmp

Filesize
240KB

Download
memory/166184-144-0x0000000007F80000-0x0000000007FE6000-memory.dmp

Filesize
408KB

Download
memory/166184-136-0x0000000005B90000-0x00000000061A8000-memory.dmp

Filesize
6.1MB

Download
memory/166184-145-0x0000000007FF0000-0x0000000008040000-memory.dmp

Filesize
320KB

Download
memory/166184-131-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/166184-146-0x0000000008AE0000-0x0000000008CA2000-memory.dmp

Filesize
1.8MB

Download
memory/166184-147-0x00000000091E0000-0x000000000970C000-memory.dmp

Filesize
5.2MB

Download