redline | 200f4faeff4a788b4a76b60c76f928d0b4418c7fc568eb7911177b51392739d1

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2022 20:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

3.9MB
MD5

7731bbc6b6dcfee6191187e417b48570
SHA1

8c26762bf8cec71b270d2c68c07669dd06940d8c
SHA256

200f4faeff4a788b4a76b60c76f928d0b4418c7fc568eb7911177b51392739d1
SHA512

d56b8c2149029813fe11cb08deb03192279ecb7e9d373e636f7e20e529c7a5cb7e4fcdf8984eb4c943bbb44fd3f982f83b1a1667c884495791831391e0abe5d3

Score

10^/10

redline xmrig ytstealer infostealer miner persistence spyware stealer upx

Malware Config

Extracted

Family

redline

62.204.41.141:24758

Attributes

auth_value
2c7c599df95f4eb1a36237ba938268a0

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4644-132-0x0000000000400000-0x0000000000AA8000-memory.dmp	family_redline
behavioral2/memory/214712-137-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4716-170-0x0000000000A50000-0x0000000001829000-memory.dmp	family_ytstealer
behavioral2/memory/4716-172-0x0000000000A50000-0x0000000001829000-memory.dmp	family_ytstealer

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

baklan.exestart.exedllhost.exewinlogson.exe

pid process

214996 baklan.exe
4716 start.exe
4076 dllhost.exe
5236 winlogson.exe

pid	process
214996	baklan.exe
4716	start.exe
4076	dllhost.exe
5236	winlogson.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
behavioral2/memory/4716-161-0x0000000000A50000-0x0000000001829000-memory.dmp	upx
behavioral2/memory/4716-170-0x0000000000A50000-0x0000000001829000-memory.dmp	upx
behavioral2/memory/4716-172-0x0000000000A50000-0x0000000001829000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 2 IoCs

Processes:

Launcher.exebaklan.exe

description	pid	process	target process
PID 4644 set thread context of 214712	4644	Launcher.exe	AppLaunch.exe
PID 214996 set thread context of 3116	214996	baklan.exe	cvtres.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2408	schtasks.exe
4824	schtasks.exe
5024	schtasks.exe
4472	schtasks.exe
4244	schtasks.exe
4800	schtasks.exe
440	schtasks.exe
2156	schtasks.exe
4316	schtasks.exe
2044	schtasks.exe
1676	schtasks.exe
3912	schtasks.exe

Modifies registry class 2 IoCs

Processes:

AppLaunch.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	AppLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exepowershell.exestart.execvtres.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
214712	AppLaunch.exe
2640	powershell.exe
2640	powershell.exe
4716	start.exe
4716	start.exe
4716	start.exe
4716	start.exe
3116	cvtres.exe
2196	powershell.exe
2196	powershell.exe
4920	powershell.exe
4920	powershell.exe
1664	powershell.exe
1664	powershell.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe
4076	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

672

pid	process
672

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AppLaunch.exepowershell.execvtres.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	214712	AppLaunch.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	3116	cvtres.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	4076	dllhost.exe
Token: SeLockMemoryPrivilege	5236	winlogson.exe
Token: SeLockMemoryPrivilege	5236	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

5236 winlogson.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

2592 OpenWith.exe

pid	process
5236	winlogson.exe

pid	process
2592	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exeAppLaunch.exebaklan.exestart.execmd.execvtres.execmd.exedllhost.execmd.exe

description	pid	process	target process
PID 4644 wrote to memory of 214712	4644	Launcher.exe	AppLaunch.exe
PID 4644 wrote to memory of 214712	4644	Launcher.exe	AppLaunch.exe
PID 4644 wrote to memory of 214712	4644	Launcher.exe	AppLaunch.exe
PID 4644 wrote to memory of 214712	4644	Launcher.exe	AppLaunch.exe
PID 4644 wrote to memory of 214712	4644	Launcher.exe	AppLaunch.exe
PID 214712 wrote to memory of 214996	214712	AppLaunch.exe	baklan.exe
PID 214712 wrote to memory of 214996	214712	AppLaunch.exe	baklan.exe
PID 214712 wrote to memory of 214996	214712	AppLaunch.exe	baklan.exe
PID 214712 wrote to memory of 4716	214712	AppLaunch.exe	start.exe
PID 214712 wrote to memory of 4716	214712	AppLaunch.exe	start.exe
PID 214996 wrote to memory of 2640	214996	baklan.exe	powershell.exe
PID 214996 wrote to memory of 2640	214996	baklan.exe	powershell.exe
PID 214996 wrote to memory of 2640	214996	baklan.exe	powershell.exe
PID 4716 wrote to memory of 4868	4716	start.exe	cmd.exe
PID 4716 wrote to memory of 4868	4716	start.exe	cmd.exe
PID 4868 wrote to memory of 4184	4868	cmd.exe	choice.exe
PID 4868 wrote to memory of 4184	4868	cmd.exe	choice.exe
PID 214996 wrote to memory of 3116	214996	baklan.exe	cvtres.exe
PID 214996 wrote to memory of 3116	214996	baklan.exe	cvtres.exe
PID 214996 wrote to memory of 3116	214996	baklan.exe	cvtres.exe
PID 214996 wrote to memory of 3116	214996	baklan.exe	cvtres.exe
PID 214996 wrote to memory of 3116	214996	baklan.exe	cvtres.exe
PID 214996 wrote to memory of 3116	214996	baklan.exe	cvtres.exe
PID 214996 wrote to memory of 3116	214996	baklan.exe	cvtres.exe
PID 214996 wrote to memory of 3116	214996	baklan.exe	cvtres.exe
PID 3116 wrote to memory of 1464	3116	cvtres.exe	cmd.exe
PID 3116 wrote to memory of 1464	3116	cvtres.exe	cmd.exe
PID 3116 wrote to memory of 1464	3116	cvtres.exe	cmd.exe
PID 1464 wrote to memory of 2416	1464	cmd.exe	chcp.com
PID 1464 wrote to memory of 2416	1464	cmd.exe	chcp.com
PID 1464 wrote to memory of 2416	1464	cmd.exe	chcp.com
PID 1464 wrote to memory of 2196	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 2196	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 2196	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 4920	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 4920	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 4920	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 1664	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 1664	1464	cmd.exe	powershell.exe
PID 1464 wrote to memory of 1664	1464	cmd.exe	powershell.exe
PID 3116 wrote to memory of 4076	3116	cvtres.exe	dllhost.exe
PID 3116 wrote to memory of 4076	3116	cvtres.exe	dllhost.exe
PID 3116 wrote to memory of 4076	3116	cvtres.exe	dllhost.exe
PID 4076 wrote to memory of 3184	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 3184	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 3184	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 2120	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 2120	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 2120	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 2748	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 2748	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 2748	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 1124	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 1124	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 1124	4076	dllhost.exe	cmd.exe
PID 3184 wrote to memory of 2156	3184	cmd.exe	schtasks.exe
PID 3184 wrote to memory of 2156	3184	cmd.exe	schtasks.exe
PID 3184 wrote to memory of 2156	3184	cmd.exe	schtasks.exe
PID 4076 wrote to memory of 1824	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 1824	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 1824	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 3192	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 3192	4076	dllhost.exe	cmd.exe
PID 4076 wrote to memory of 3192	4076	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:214712

C:\Users\Admin\AppData\Local\Temp\baklan.exe
"C:\Users\Admin\AppData\Local\Temp\baklan.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:214996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
5⤵
- Suspicious use of WriteProcessMemory
PID:1464

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:2416

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1664

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Suspicious use of WriteProcessMemory
PID:3184

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:2156

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:2120

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:4316

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:2748

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:5024

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:1124

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:4472

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:1824

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:4244

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:3192

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:440

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:1208

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:1676

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:548

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:2408

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3275" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:3128

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3275" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:2044

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk156" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:412

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk156" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:4824

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4327" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:2128

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk4327" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:3912

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2978" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
PID:2476

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk2978" /TR "C:\ProgramData\Dllhost\dllhost.exe"
7⤵
- Creates scheduled task(s)
PID:4800

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
6⤵
PID:3352

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
6⤵
PID:5168

C:\Windows\SysWOW64\chcp.com
chcp 1251
7⤵
PID:5216

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5236

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Local\Temp\start.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:4184

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json

Filesize
313B

MD5
6ea66d83f2c2f435509e81830f8ff6bd

SHA1
6f796335c09fbc148ca61c80f5cdeb1da25800fa

SHA256
f08dda9d36b04d9abed85223bc45e1aaa821e47d849e7a1f4d4f913108b605ea

SHA512
b39a14073c8d8c638b2dd73dbc533235c7b8274737bf4d4126337b49fa57e4aff7489afcb3751b4865dfa494d63629b7034231542b3bad9f35d693a1fd489290

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
ea7fa08fbc0e69c1c4bb1dcc01845abd

SHA1
9d5b6f0b5a6159a899ebdd45ad60050bc626b86e

SHA256
980fa0f7677c6a0544e048190144988ea39767dd952db3b341335e7455d92351

SHA512
93bfd6b7074a233eb3991df3381fa9888cc7562f9cbf55823b936a0501f6b27ed2397caf7b6a847cc0ae2f09113e149f84e6794dc004db10b8ca3c6b56a6c0f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
2b401cf5d2b87e7782a0aa75e1f17317

SHA1
646067773e77ffc1fc54cf1b2ddda5bdcdc8a70b

SHA256
f9a9d97e7dc132a14acc384457013d3676ef0471e5de2d97e3272f5428545c15

SHA512
4ff315ee5a58f721c1822ae35b3edf902dddaccb6683804cb6328b449252c72975ffafaeb82c8b41bb907f943a83bcdf6ae61b46c6ab11cb4c69783837dbed40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b009f92467bf9c4369835420208fa533

SHA1
6090522bd004c6532ae77a7df0803a88fad62e4f

SHA256
e2de38d553952d53a45180125c9354c2629eac73e4bad63cf7376a76ed980a5d

SHA512
bb918990d5356e27b23b88675f187a1f55796b33a6c32d45dec915fe14eba63b91294e34a1b234498535b792e50323c5e316d3cda64e65b2296a38ee516a3757

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
30da8c8de594188288faa180b70c5a6a

SHA1
b14480d52e1b4fa9e8ecf42ecc79ce9ab653bd6b

SHA256
a0894b7e4342d1be33144b59196a77d9951e292a973cd152681c3e2f0c8200bf

SHA512
6a73003759af4f4e00ceeb0778997349cc4e77b7e3b5e66c32eb6fa10f795912d31408833f6ca966423ccb66deb012af08a5325f5e6184cc6c44f59423c2057b

Download Submit
C:\Users\Admin\AppData\Local\Temp\baklan.exe

Filesize
1.1MB

MD5
55732424f55447bab85d8c5fccdb52e7

SHA1
d695aece4cfef1d5e373a5377b44ad37e6fec5be

SHA256
5c597faa0ba8f763176aa47fc9b4b3bae4af8e56a65a1b94c9513b6d01d138a4

SHA512
48327327b4723bfbf002f27ba00c796dd2464056034c0c7f89d6aace8c8e7f77b2c466df3c8f60a27d0f72e357860f6d43df5bdb18320b2c53ba292b0c2fca4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\baklan.exe

Filesize
1.1MB

MD5
55732424f55447bab85d8c5fccdb52e7

SHA1
d695aece4cfef1d5e373a5377b44ad37e6fec5be

SHA256
5c597faa0ba8f763176aa47fc9b4b3bae4af8e56a65a1b94c9513b6d01d138a4

SHA512
48327327b4723bfbf002f27ba00c796dd2464056034c0c7f89d6aace8c8e7f77b2c466df3c8f60a27d0f72e357860f6d43df5bdb18320b2c53ba292b0c2fca4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
b09ec6718a34a70a182f3412b89f6777

SHA1
e730645db18339897aeddb4f21ce662911e03444

SHA256
21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

SHA512
5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
b09ec6718a34a70a182f3412b89f6777

SHA1
e730645db18339897aeddb4f21ce662911e03444

SHA256
21c2f78a2ba5891c4dbdc1b50283844c7720ecd3f1187fb9269015524cad2da2

SHA512
5d0f9eb9fcfe8a5d6c42db552d35411116ec0b405e747537a75fd50fb6e9f1d1fc1bf95c169c5ef7c2d217b7cc5d647a6ed36f130e0382a71f919c5e09ec7881

Download Submit
memory/412-213-0x0000000000000000-mapping.dmp

Download
memory/440-221-0x0000000000000000-mapping.dmp

Download
memory/548-210-0x0000000000000000-mapping.dmp

Download
memory/1124-203-0x0000000000000000-mapping.dmp

Download
memory/1208-208-0x0000000000000000-mapping.dmp

Download
memory/1464-177-0x0000000000000000-mapping.dmp

Download
memory/1664-195-0x000000006DBC0000-0x000000006DC0C000-memory.dmp

Filesize
304KB

Download
memory/1664-193-0x0000000000000000-mapping.dmp

Download
memory/1676-217-0x0000000000000000-mapping.dmp

Download
memory/1824-205-0x0000000000000000-mapping.dmp

Download
memory/2044-218-0x0000000000000000-mapping.dmp

Download
memory/2120-201-0x0000000000000000-mapping.dmp

Download
memory/2128-215-0x0000000000000000-mapping.dmp

Download
memory/2156-204-0x0000000000000000-mapping.dmp

Download
memory/2196-187-0x00000000059C0000-0x00000000059CE000-memory.dmp

Filesize
56KB

Download
memory/2196-189-0x0000000007060000-0x0000000007068000-memory.dmp

Filesize
32KB

Download
memory/2196-188-0x0000000007070000-0x000000000708A000-memory.dmp

Filesize
104KB

Download
memory/2196-186-0x00000000070F0000-0x0000000007186000-memory.dmp

Filesize
600KB

Download
memory/2196-185-0x0000000006DD0000-0x0000000006DDA000-memory.dmp

Filesize
40KB

Download
memory/2196-184-0x00000000060D0000-0x00000000060EE000-memory.dmp

Filesize
120KB

Download
memory/2196-183-0x000000006DBC0000-0x000000006DC0C000-memory.dmp

Filesize
304KB

Download
memory/2196-182-0x0000000006CA0000-0x0000000006CD2000-memory.dmp

Filesize
200KB

Download
memory/2196-179-0x0000000000000000-mapping.dmp

Download
memory/2408-222-0x0000000000000000-mapping.dmp

Download
memory/2416-178-0x0000000000000000-mapping.dmp

Download
memory/2476-216-0x0000000000000000-mapping.dmp

Download
memory/2640-164-0x0000000005AB0000-0x00000000060D8000-memory.dmp

Filesize
6.2MB

Download
memory/2640-167-0x00000000067E0000-0x00000000067FE000-memory.dmp

Filesize
120KB

Download
memory/2640-165-0x0000000005A10000-0x0000000005A32000-memory.dmp

Filesize
136KB

Download
memory/2640-162-0x0000000000000000-mapping.dmp

Download
memory/2640-163-0x0000000003240000-0x0000000003276000-memory.dmp

Filesize
216KB

Download
memory/2640-166-0x0000000006150000-0x00000000061B6000-memory.dmp

Filesize
408KB

Download
memory/2640-168-0x0000000008040000-0x00000000086BA000-memory.dmp

Filesize
6.5MB

Download
memory/2640-169-0x0000000006CD0000-0x0000000006CEA000-memory.dmp

Filesize
104KB

Download
memory/2748-202-0x0000000000000000-mapping.dmp

Download
memory/3116-175-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/3116-176-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/3116-174-0x0000000000000000-mapping.dmp

Download
memory/3128-212-0x0000000000000000-mapping.dmp

Download
memory/3184-200-0x0000000000000000-mapping.dmp

Download
memory/3192-206-0x0000000000000000-mapping.dmp

Download
memory/3352-225-0x0000000000000000-mapping.dmp

Download
memory/3912-220-0x0000000000000000-mapping.dmp

Download
memory/4076-199-0x0000000000510000-0x0000000000604000-memory.dmp

Filesize
976KB

Download
memory/4076-196-0x0000000000000000-mapping.dmp

Download
memory/4184-173-0x0000000000000000-mapping.dmp

Download
memory/4244-214-0x0000000000000000-mapping.dmp

Download
memory/4316-207-0x0000000000000000-mapping.dmp

Download
memory/4472-211-0x0000000000000000-mapping.dmp

Download
memory/4644-132-0x0000000000400000-0x0000000000AA8000-memory.dmp

Filesize
6.7MB

Download
memory/4716-170-0x0000000000A50000-0x0000000001829000-memory.dmp

Filesize
13.8MB

Download
memory/4716-158-0x0000000000000000-mapping.dmp

Download
memory/4716-161-0x0000000000A50000-0x0000000001829000-memory.dmp

Filesize
13.8MB

Download
memory/4716-172-0x0000000000A50000-0x0000000001829000-memory.dmp

Filesize
13.8MB

Download
memory/4800-219-0x0000000000000000-mapping.dmp

Download
memory/4824-223-0x0000000000000000-mapping.dmp

Download
memory/4868-171-0x0000000000000000-mapping.dmp

Download
memory/4920-192-0x000000006DBC0000-0x000000006DC0C000-memory.dmp

Filesize
304KB

Download
memory/4920-190-0x0000000000000000-mapping.dmp

Download
memory/4928-226-0x0000000000000000-mapping.dmp

Download
memory/5024-209-0x0000000000000000-mapping.dmp

Download
memory/5168-227-0x0000000000000000-mapping.dmp

Download
memory/5216-228-0x0000000000000000-mapping.dmp

Download
memory/5236-229-0x0000000000000000-mapping.dmp

Download
memory/5236-232-0x0000027118070000-0x0000027118090000-memory.dmp

Filesize
128KB

Download
memory/5236-234-0x0000027119B80000-0x0000027119BC0000-memory.dmp

Filesize
256KB

Download
memory/214712-147-0x00000000084F0000-0x0000000008582000-memory.dmp

Filesize
584KB

Download
memory/214712-150-0x0000000008F70000-0x0000000008FD6000-memory.dmp

Filesize
408KB

Download
memory/214712-144-0x00000000079E0000-0x0000000007AEA000-memory.dmp

Filesize
1.0MB

Download
memory/214712-146-0x00000000089C0000-0x0000000008F64000-memory.dmp

Filesize
5.6MB

Download
memory/214712-148-0x0000000008590000-0x0000000008606000-memory.dmp

Filesize
472KB

Download
memory/214712-143-0x00000000078B0000-0x00000000078C2000-memory.dmp

Filesize
72KB

Download
memory/214712-149-0x00000000084C0000-0x00000000084DE000-memory.dmp

Filesize
120KB

Download
memory/214712-145-0x0000000007910000-0x000000000794C000-memory.dmp

Filesize
240KB

Download
memory/214712-151-0x00000000090E0000-0x0000000009130000-memory.dmp

Filesize
320KB

Download
memory/214712-152-0x0000000009300000-0x00000000094C2000-memory.dmp

Filesize
1.8MB

Download
memory/214712-142-0x0000000005FF0000-0x0000000006608000-memory.dmp

Filesize
6.1MB

Download
memory/214712-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/214712-153-0x0000000009E30000-0x000000000A35C000-memory.dmp

Filesize
5.2MB

Download
memory/214712-136-0x0000000000000000-mapping.dmp

Download
memory/214996-154-0x0000000000000000-mapping.dmp

Download
memory/214996-157-0x0000000000590000-0x00000000006AA000-memory.dmp

Filesize
1.1MB

Download