redline | hxxp://141[.]98[.]6[.]236/TPBActivetor/ZvfejoxpnTPBA-1[.]exe

General

Target

http://141.98.6.236/TPBActivetor/ZvfejoxpnTPBA-1.exe

Score

10^/10

redline tpb-activator infostealer

Malware Config

Extracted

Family

redline

Botnet

TPB-ACTIVATOR

C2

amrican-sport-live-stream.cc:4581

Attributes

auth_value
df7c91432437b11d8f25d54ba7832b8d

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4260-140-0x0000000000400000-0x0000000000444000-memory.dmp	family_redline

Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

ZvfejoxpnTPBA-1.exe

pid process

4212 ZvfejoxpnTPBA-1.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

ZvfejoxpnTPBA-1.exe

description pid process target process

PID 4212 set thread context of 4260 4212 ZvfejoxpnTPBA-1.exe RegAsm.exe

pid	process
4212	ZvfejoxpnTPBA-1.exe

description	pid	process	target process
PID 4212 set thread context of 4260	4212	ZvfejoxpnTPBA-1.exe	RegAsm.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 812b0bf72a9dd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2060848870"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2072882123"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f08cd77bebaad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A652F39E-16DE-11ED-BFB6-7A3262F2BC06} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{818907F2-52D5-476E-B693-272553C18AE0}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30976747"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ecbea742cdd51744a22318f0bb77b68200000000020000000000106600000001000020000000f7ffc1a94157448b1f85e288cd8063d2c8780c386134ef024ec70a543941f287000000000e80000000020000200000002da253c9ed2bd98577752fb3c5fa2a2cfc7136289e2473601753912d9bac9c4b20000000d32671f34a5ad43bade74c7201898f7893dfff25ec1b4860aaf85385a1adb0db400000003e419547c5911e8c2667d48645055a906be5f3d673c8e12a9260c98f991840fc7025d99ffae4d223b42fa7a2dd62473b807f72e86042b14476f1bf7843114ed0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "366703080"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30976747"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2060848870"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30976747"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a6cb7bebaad801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ecbea742cdd51744a22318f0bb77b682000000000200000000001066000000010000200000002ca711da5b116ec7f40fb5706b25d1fdef26cde67a084a60004c73ce392e3cc1000000000e80000000020000200000002ea20a4a9c755b5f507a5085465441e65fe34bcb43e516c53fdedb62c7bff750200000000764dfaa13640cff36079f74b3054ae2b08e6813593f89262c971c37ed7e0cae400000005cdfe502c749a568bf7878d66e7900c49c3acaaf0496a2913c5e2a03d0cc9f15c0745df2ef65de4656a9321cd1a4dec1be5e00cf0bbee6787d5bd9dcf2cc4ff6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Modifies registry class 56 IoCs

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000bcad4191f09cd80198482695f09cd8012662e795f09cd80114000000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

ZvfejoxpnTPBA-1.exe

pid process

4212 ZvfejoxpnTPBA-1.exe
4212 ZvfejoxpnTPBA-1.exe
4212 ZvfejoxpnTPBA-1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ZvfejoxpnTPBA-1.exe

description pid process

Token: SeDebugPrivilege 4212 ZvfejoxpnTPBA-1.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

3036 iexplore.exe
3036 iexplore.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

3036 iexplore.exe
3036 iexplore.exe
3460 IEXPLORE.EXE
3460 IEXPLORE.EXE
3036 iexplore.exe

pid	process
4212	ZvfejoxpnTPBA-1.exe
4212	ZvfejoxpnTPBA-1.exe
4212	ZvfejoxpnTPBA-1.exe

description	pid	process
Token: SeDebugPrivilege	4212	ZvfejoxpnTPBA-1.exe

pid	process
3036	iexplore.exe
3036	iexplore.exe

pid	process
3036	iexplore.exe
3036	iexplore.exe
3460	IEXPLORE.EXE
3460	IEXPLORE.EXE
3036	iexplore.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

iexplore.exeZvfejoxpnTPBA-1.exe

description	pid	process	target process
PID 3036 wrote to memory of 3460	3036	iexplore.exe	IEXPLORE.EXE
PID 3036 wrote to memory of 3460	3036	iexplore.exe	IEXPLORE.EXE
PID 3036 wrote to memory of 3460	3036	iexplore.exe	IEXPLORE.EXE
PID 4212 wrote to memory of 4260	4212	ZvfejoxpnTPBA-1.exe	RegAsm.exe
PID 4212 wrote to memory of 4260	4212	ZvfejoxpnTPBA-1.exe	RegAsm.exe
PID 4212 wrote to memory of 4260	4212	ZvfejoxpnTPBA-1.exe	RegAsm.exe
PID 4212 wrote to memory of 4260	4212	ZvfejoxpnTPBA-1.exe	RegAsm.exe
PID 4212 wrote to memory of 4260	4212	ZvfejoxpnTPBA-1.exe	RegAsm.exe
PID 4212 wrote to memory of 4260	4212	ZvfejoxpnTPBA-1.exe	RegAsm.exe
PID 4212 wrote to memory of 4260	4212	ZvfejoxpnTPBA-1.exe	RegAsm.exe
PID 4212 wrote to memory of 4260	4212	ZvfejoxpnTPBA-1.exe	RegAsm.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://141.98.6.236/TPBActivetor/ZvfejoxpnTPBA-1.exe
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3036

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3036 CREDAT:17410 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Users\Admin\Desktop\ZvfejoxpnTPBA-1.exe
"C:\Users\Admin\Desktop\ZvfejoxpnTPBA-1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
2⤵
PID:4260

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
471B

MD5
61f75e02b1e26816775d4aad01e1b982

SHA1
73e49c3efcf7341482e69a281dc0fc5ceed83484

SHA256
13faa20d378ed3285ba83d243e5a30a3377d8c7b6f0f9bf5aec95ff53fb357da

SHA512
98ac49e964f65f71d146b20a4dc81ff75e158d5ea3f1a8101b20796eb296bc30707d6ee1f7ffbc8a90c95d34ad208eb808f73828d7925d85e04ca2e244cb2fae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize
404B

MD5
f7ded4f8cbf75839b91c55201431c159

SHA1
8b2d3ea01228e3779885641386045148e578350e

SHA256
d87f615d12adce3e7958458d1e02d5a03d9a8772f778a147c45db2c7f259759d

SHA512
a370d3b8e0157180c0c4e849a6b2091c79ad0e104f45d8003d46806bbe5bac9477e96817f3f70a2a3b57f69504e712c835e8651457eb7003573dfc994d32bd28

Download Submit
C:\Users\Admin\Desktop\ZvfejoxpnTPBA-1.exe
Filesize
783KB

MD5
f84905c8ef2f1a66d371f78f5eef018c

SHA1
db9b70232eec3d62d2c7bb6a2ae2bdb637286760

SHA256
dcf6833e580432fec0174bdb64dced1e9e9abf086a77a5799138d807499a22f7

SHA512
ffe297457c73e1497a7dea57ede5ad4b2c694c6b785d7981454b860aae72a176f656ab6903d931a76fabe26f7ae12c6eb547b179402a1cb9d934701fe214140f

Download Submit
C:\Users\Admin\Desktop\ZvfejoxpnTPBA-1.exe.5vrdlin.partial
Filesize
783KB

MD5
f84905c8ef2f1a66d371f78f5eef018c

SHA1
db9b70232eec3d62d2c7bb6a2ae2bdb637286760

SHA256
dcf6833e580432fec0174bdb64dced1e9e9abf086a77a5799138d807499a22f7

SHA512
ffe297457c73e1497a7dea57ede5ad4b2c694c6b785d7981454b860aae72a176f656ab6903d931a76fabe26f7ae12c6eb547b179402a1cb9d934701fe214140f

Download Submit
memory/4212-136-0x000000002B830000-0x000000002B896000-memory.dmp

Filesize
408KB

Download
memory/4212-135-0x0000000005170000-0x0000000005192000-memory.dmp

Filesize
136KB

Download
memory/4212-134-0x00000000004F0000-0x00000000005BA000-memory.dmp

Filesize
808KB

Download
memory/4212-137-0x000000002BCE0000-0x000000002BD72000-memory.dmp

Filesize
584KB

Download
memory/4212-138-0x000000002C330000-0x000000002C8D4000-memory.dmp

Filesize
5.6MB

Download
memory/4260-139-0x0000000000000000-mapping.dmp

Download
memory/4260-140-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/4260-141-0x000000000AB50000-0x000000000B168000-memory.dmp

Filesize
6.1MB

Download
memory/4260-142-0x000000000A5D0000-0x000000000A5E2000-memory.dmp

Filesize
72KB

Download
memory/4260-143-0x000000000A700000-0x000000000A80A000-memory.dmp

Filesize
1.0MB

Download
memory/4260-144-0x000000000A630000-0x000000000A66C000-memory.dmp

Filesize
240KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads