redline | 097c24ae162bd92ddfacc1276aada59fa7d058837c359a3f3a37f2ddc763e841

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2022 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Launcher.exe
Size

4.6MB
MD5

4612516fca7a6fc9c393a76859d89539
SHA1

4d854c616dca1833ee3bb64befb39676a4cd26c3
SHA256

097c24ae162bd92ddfacc1276aada59fa7d058837c359a3f3a37f2ddc763e841
SHA512

700125943a1e7fca1f161c869cf7553e4462bd770763ad49e3ef1591d77ee521ff635b721af241718413442a5ecf3972981579396fd52472e4a5ddcc89b3e290

Score

10^/10

redline xmrig ytstealer infostealer miner persistence spyware stealer upx

Malware Config

Extracted

Family

redline

62.204.41.141:24758

Attributes

auth_value
2c7c599df95f4eb1a36237ba938268a0

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/163364-139-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/5016-144-0x0000000000400000-0x00000000009F9000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/163756-166-0x0000000000400000-0x0000000001212000-memory.dmp	family_ytstealer
behavioral2/memory/163756-191-0x0000000000400000-0x0000000001212000-memory.dmp	family_ytstealer
behavioral2/memory/163756-228-0x0000000000400000-0x0000000001212000-memory.dmp	family_ytstealer

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

baklan.exestart.exedllhost.exewinlogson.exe

pid process

163664 baklan.exe
163756 start.exe
796 dllhost.exe
5344 winlogson.exe

pid	process
163664	baklan.exe
163756	start.exe
796	dllhost.exe
5344	winlogson.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
behavioral2/memory/163756-166-0x0000000000400000-0x0000000001212000-memory.dmp	upx
behavioral2/memory/163756-191-0x0000000000400000-0x0000000001212000-memory.dmp	upx
behavioral2/memory/163756-228-0x0000000000400000-0x0000000001212000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Launcher.exe

description pid process target process

PID 5016 set thread context of 163364 5016 Launcher.exe AppLaunch.exe

description	pid	process	target process
PID 5016 set thread context of 163364	5016	Launcher.exe	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
4060	schtasks.exe
2432	schtasks.exe
4768	schtasks.exe
3932	schtasks.exe
4140	schtasks.exe
3716	schtasks.exe
3132	schtasks.exe
3504	schtasks.exe
1208	schtasks.exe
3920	schtasks.exe
616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exebaklan.exepowershell.exepowershell.exepowershell.exedllhost.exepowershell.exe

pid	process
163364	AppLaunch.exe
163664	baklan.exe
4900	powershell.exe
4900	powershell.exe
2524	powershell.exe
2524	powershell.exe
2088	powershell.exe
2088	powershell.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
3740	powershell.exe
3740	powershell.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe
796	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

648

pid	process
648

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

Launcher.exeAppLaunch.exebaklan.exepowershell.exepowershell.exepowershell.exedllhost.exepowershell.exewinlogson.exe

description	pid	process
Token: 33	5016	Launcher.exe
Token: SeIncBasePriorityPrivilege	5016	Launcher.exe
Token: SeDebugPrivilege	163364	AppLaunch.exe
Token: SeDebugPrivilege	163664	baklan.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	796	dllhost.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeLockMemoryPrivilege	5344	winlogson.exe
Token: SeLockMemoryPrivilege	5344	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

5344 winlogson.exe

pid	process
5344	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Launcher.exeAppLaunch.exebaklan.execmd.exedllhost.execmd.execmd.exe

description	pid	process	target process
PID 5016 wrote to memory of 163364	5016	Launcher.exe	AppLaunch.exe
PID 5016 wrote to memory of 163364	5016	Launcher.exe	AppLaunch.exe
PID 5016 wrote to memory of 163364	5016	Launcher.exe	AppLaunch.exe
PID 5016 wrote to memory of 163364	5016	Launcher.exe	AppLaunch.exe
PID 5016 wrote to memory of 163364	5016	Launcher.exe	AppLaunch.exe
PID 163364 wrote to memory of 163664	163364	AppLaunch.exe	baklan.exe
PID 163364 wrote to memory of 163664	163364	AppLaunch.exe	baklan.exe
PID 163364 wrote to memory of 163664	163364	AppLaunch.exe	baklan.exe
PID 163364 wrote to memory of 163756	163364	AppLaunch.exe	start.exe
PID 163364 wrote to memory of 163756	163364	AppLaunch.exe	start.exe
PID 163664 wrote to memory of 163824	163664	baklan.exe	cmd.exe
PID 163664 wrote to memory of 163824	163664	baklan.exe	cmd.exe
PID 163664 wrote to memory of 163824	163664	baklan.exe	cmd.exe
PID 163824 wrote to memory of 4904	163824	cmd.exe	chcp.com
PID 163824 wrote to memory of 4904	163824	cmd.exe	chcp.com
PID 163824 wrote to memory of 4904	163824	cmd.exe	chcp.com
PID 163824 wrote to memory of 4900	163824	cmd.exe	powershell.exe
PID 163824 wrote to memory of 4900	163824	cmd.exe	powershell.exe
PID 163824 wrote to memory of 4900	163824	cmd.exe	powershell.exe
PID 163824 wrote to memory of 2524	163824	cmd.exe	powershell.exe
PID 163824 wrote to memory of 2524	163824	cmd.exe	powershell.exe
PID 163824 wrote to memory of 2524	163824	cmd.exe	powershell.exe
PID 163824 wrote to memory of 2088	163824	cmd.exe	powershell.exe
PID 163824 wrote to memory of 2088	163824	cmd.exe	powershell.exe
PID 163824 wrote to memory of 2088	163824	cmd.exe	powershell.exe
PID 163664 wrote to memory of 796	163664	baklan.exe	dllhost.exe
PID 163664 wrote to memory of 796	163664	baklan.exe	dllhost.exe
PID 163664 wrote to memory of 796	163664	baklan.exe	dllhost.exe
PID 796 wrote to memory of 3896	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 3896	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 3896	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 3832	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 3832	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 3832	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 2844	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 2844	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 2844	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 2268	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 2268	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 2268	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 1456	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 1456	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 1456	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 2720	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 2720	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 2720	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 4876	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 4876	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 4876	796	dllhost.exe	cmd.exe
PID 3832 wrote to memory of 4140	3832	cmd.exe	schtasks.exe
PID 3832 wrote to memory of 4140	3832	cmd.exe	schtasks.exe
PID 3832 wrote to memory of 4140	3832	cmd.exe	schtasks.exe
PID 796 wrote to memory of 1388	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 1388	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 1388	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 1728	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 1728	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 1728	796	dllhost.exe	cmd.exe
PID 2844 wrote to memory of 4060	2844	cmd.exe	schtasks.exe
PID 2844 wrote to memory of 4060	2844	cmd.exe	schtasks.exe
PID 2844 wrote to memory of 4060	2844	cmd.exe	schtasks.exe
PID 796 wrote to memory of 3164	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 3164	796	dllhost.exe	cmd.exe
PID 796 wrote to memory of 3164	796	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Launcher.exe
"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:163364

C:\Users\Admin\AppData\Local\Temp\baklan.exe
"C:\Users\Admin\AppData\Local\Temp\baklan.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:163664

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
4⤵
- Suspicious use of WriteProcessMemory
PID:163824

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:4904

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3896

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4140

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2268

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:2432

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:1456

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4768

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2720

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3932

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:2844

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4060

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4876

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3920

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9811" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4480

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk9811" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3504

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4745" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:704

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk4745" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:1208

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8314" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3164

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk8314" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:616

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk767" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:1728

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk767" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3132

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:1388

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3716

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:1540

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:4344

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:5276

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:5324

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5344

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
3⤵
- Executes dropped EXE
PID:163756

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json

Filesize
314B

MD5
019b648ebf34a92561c8dc44c3b0d6e6

SHA1
87261782c328a87c54b55851b7aacc269f87cfdf

SHA256
b76051d6e5a9f52b424419c39cff8f07f8f0b387a20eaeb9d135e9d11b0f3671

SHA512
998f63ca8770aa83a627db7fdc55480ec75c20c8a63e5b5fa4f2da8ccc2fe1f0f0e2a679567fcdcb5e6dccd44b2baf7e75b873e9ea1ec3dcc726e0d66b6c1862

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
d8d929964fcc6e32daf2968ba072299d

SHA1
7efceef5e453ab7664eee60e16f9c84c97c4e849

SHA256
0bb31a31d88cc9fbd2b7079c4defa375af28e6a0e3e8e03d2a8637c70974f560

SHA512
f61f48ef177357861259a9b413f1419b577d88331007cc77ee8f2bfdd3378f56e965f03c3decc7660e16e9c17fbc68081a746de1b5fa7e2f03d260bbb1ed5827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
f28643f2a3c5f5e095deb0aed4be6b51

SHA1
96d6f6682c10cbe3f88982858be786587ae23f66

SHA256
5b6edd99d773544ee5d570b84b2cfb7a9ead40f2651cdb9d869db9ab4d16ef6b

SHA512
d32c0366c166a9e1d5ec4e40e365864faee4b496753a510659b3790001dc861a3aef301e109abf23ccb16a0c96a08a93849cc16a56767d78f3bcf814bbc691b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
62fb41ea822e589354836ca0e8c3ea23

SHA1
ebc04cf606a8d6661ecda3274a2d0b839098055a

SHA256
aa17a56c9530a96ec0a542370a1842e7e42862be06307c2dfae4b19533889290

SHA512
aea3403886ab94ea50e4a683b7107f0f7c374c6bbeb6e639695fdf24cdd6f6968687c54c4f238b51317661debba400fb3822248e14aaf43eb4eb0f4c8c266813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
c036d0329c883234a71d0e266c5b1097

SHA1
40cfcb49a757bad2a32db4303106dc29b8351069

SHA256
54d9bd505bd2c64475d099b2d33a40f91b7bd42f948607e9023828d58ea9b225

SHA512
0791fbf3bc46b85cdd10ff8c8e48701ba3b79fafbe13dc1e36d8bf549e5f44e3854ee53278185dfbfd2bc3cde08872f3b83f54636f419616e2e3e6e0ffe66ec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\baklan.exe

Filesize
72KB

MD5
8cc3ff31023bde179e029bb3095bbf7f

SHA1
dff06fb929328dd6813c9b6d3714c08983fe4371

SHA256
8680278426baf3dbefe5340efdb6d2fc7291b9c3ceca27b62ead172df436c7b5

SHA512
310f269e376fbced37a92948afbc888b65623cb1120e94f5c0389e237f24a4a02931475606ff2add68ae3cf921dafde20bf002bcddd5e70d8ea687bb40be2118

Download Submit
C:\Users\Admin\AppData\Local\Temp\baklan.exe

Filesize
72KB

MD5
8cc3ff31023bde179e029bb3095bbf7f

SHA1
dff06fb929328dd6813c9b6d3714c08983fe4371

SHA256
8680278426baf3dbefe5340efdb6d2fc7291b9c3ceca27b62ead172df436c7b5

SHA512
310f269e376fbced37a92948afbc888b65623cb1120e94f5c0389e237f24a4a02931475606ff2add68ae3cf921dafde20bf002bcddd5e70d8ea687bb40be2118

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
memory/616-219-0x0000000000000000-mapping.dmp

Download
memory/704-212-0x0000000000000000-mapping.dmp

Download
memory/796-196-0x00000000000C0000-0x00000000001B4000-memory.dmp

Filesize
976KB

Download
memory/796-193-0x0000000000000000-mapping.dmp

Download
memory/1208-216-0x0000000000000000-mapping.dmp

Download
memory/1388-205-0x0000000000000000-mapping.dmp

Download
memory/1456-201-0x0000000000000000-mapping.dmp

Download
memory/1540-221-0x0000000000000000-mapping.dmp

Download
memory/1728-206-0x0000000000000000-mapping.dmp

Download
memory/2088-189-0x0000000000000000-mapping.dmp

Download
memory/2088-192-0x000000006D760000-0x000000006D7AC000-memory.dmp

Filesize
304KB

Download
memory/2268-200-0x0000000000000000-mapping.dmp

Download
memory/2432-209-0x0000000000000000-mapping.dmp

Download
memory/2524-188-0x000000006D760000-0x000000006D7AC000-memory.dmp

Filesize
304KB

Download
memory/2524-185-0x0000000000000000-mapping.dmp

Download
memory/2720-202-0x0000000000000000-mapping.dmp

Download
memory/2844-199-0x0000000000000000-mapping.dmp

Download
memory/3132-214-0x0000000000000000-mapping.dmp

Download
memory/3164-208-0x0000000000000000-mapping.dmp

Download
memory/3504-215-0x0000000000000000-mapping.dmp

Download
memory/3716-213-0x0000000000000000-mapping.dmp

Download
memory/3740-223-0x0000000000000000-mapping.dmp

Download
memory/3740-224-0x0000028129950000-0x0000028129972000-memory.dmp

Filesize
136KB

Download
memory/3740-226-0x00007FFBBCCE0000-0x00007FFBBD7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3740-227-0x00007FFBBCCE0000-0x00007FFBBD7A1000-memory.dmp

Filesize
10.8MB

Download
memory/3832-198-0x0000000000000000-mapping.dmp

Download
memory/3896-197-0x0000000000000000-mapping.dmp

Download
memory/3920-218-0x0000000000000000-mapping.dmp

Download
memory/3932-210-0x0000000000000000-mapping.dmp

Download
memory/4060-207-0x0000000000000000-mapping.dmp

Download
memory/4140-204-0x0000000000000000-mapping.dmp

Download
memory/4344-222-0x0000000000000000-mapping.dmp

Download
memory/4480-211-0x0000000000000000-mapping.dmp

Download
memory/4768-217-0x0000000000000000-mapping.dmp

Download
memory/4876-203-0x0000000000000000-mapping.dmp

Download
memory/4900-169-0x0000000000000000-mapping.dmp

Download
memory/4900-183-0x0000000007B10000-0x0000000007B2A000-memory.dmp

Filesize
104KB

Download
memory/4900-174-0x00000000064D0000-0x00000000064EE000-memory.dmp

Filesize
120KB

Download
memory/4900-173-0x00000000057D0000-0x0000000005836000-memory.dmp

Filesize
408KB

Download
memory/4900-172-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/4900-171-0x0000000005860000-0x0000000005E88000-memory.dmp

Filesize
6.2MB

Download
memory/4900-179-0x00000000077E0000-0x00000000077FA000-memory.dmp

Filesize
104KB

Download
memory/4900-170-0x0000000002F10000-0x0000000002F46000-memory.dmp

Filesize
216KB

Download
memory/4900-177-0x0000000006A70000-0x0000000006A8E000-memory.dmp

Filesize
120KB

Download
memory/4900-178-0x0000000007E60000-0x00000000084DA000-memory.dmp

Filesize
6.5MB

Download
memory/4900-175-0x0000000006AA0000-0x0000000006AD2000-memory.dmp

Filesize
200KB

Download
memory/4900-181-0x0000000007A70000-0x0000000007B06000-memory.dmp

Filesize
600KB

Download
memory/4900-182-0x0000000007A10000-0x0000000007A1E000-memory.dmp

Filesize
56KB

Download
memory/4900-180-0x0000000007850000-0x000000000785A000-memory.dmp

Filesize
40KB

Download
memory/4900-184-0x0000000007A50000-0x0000000007A58000-memory.dmp

Filesize
32KB

Download
memory/4900-176-0x000000006D760000-0x000000006D7AC000-memory.dmp

Filesize
304KB

Download
memory/4904-168-0x0000000000000000-mapping.dmp

Download
memory/5016-137-0x0000000000CA0000-0x0000000000CA3000-memory.dmp

Filesize
12KB

Download
memory/5016-132-0x0000000000400000-0x00000000009F9000-memory.dmp

Filesize
6.0MB

Download
memory/5016-145-0x0000000002570000-0x00000000029DD000-memory.dmp

Filesize
4.4MB

Download
memory/5016-134-0x0000000000400000-0x00000000009F9000-memory.dmp

Filesize
6.0MB

Download
memory/5016-136-0x0000000000C10000-0x0000000000C14000-memory.dmp

Filesize
16KB

Download
memory/5016-144-0x0000000000400000-0x00000000009F9000-memory.dmp

Filesize
6.0MB

Download
memory/5016-135-0x0000000002570000-0x00000000029DD000-memory.dmp

Filesize
4.4MB

Download
memory/5016-133-0x0000000000400000-0x00000000009F9000-memory.dmp

Filesize
6.0MB

Download
memory/5276-229-0x0000000000000000-mapping.dmp

Download
memory/5324-230-0x0000000000000000-mapping.dmp

Download
memory/5344-236-0x0000013429690000-0x00000134296D0000-memory.dmp

Filesize
256KB

Download
memory/5344-237-0x00000134296D0000-0x00000134296F0000-memory.dmp

Filesize
128KB

Download
memory/5344-231-0x0000000000000000-mapping.dmp

Download
memory/5344-234-0x0000013427BD0000-0x0000013427BF0000-memory.dmp

Filesize
128KB

Download
memory/5344-238-0x00000134296D0000-0x00000134296F0000-memory.dmp

Filesize
128KB

Download
memory/163364-139-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/163364-152-0x0000000008B20000-0x0000000008BB2000-memory.dmp

Filesize
584KB

Download
memory/163364-147-0x0000000007E00000-0x0000000007E12000-memory.dmp

Filesize
72KB

Download
memory/163364-146-0x0000000006580000-0x0000000006B98000-memory.dmp

Filesize
6.1MB

Download
memory/163364-149-0x0000000007E70000-0x0000000007EAC000-memory.dmp

Filesize
240KB

Download
memory/163364-150-0x0000000008A10000-0x0000000008A76000-memory.dmp

Filesize
408KB

Download
memory/163364-151-0x0000000009030000-0x00000000095D4000-memory.dmp

Filesize
5.6MB

Download
memory/163364-157-0x00000000095E0000-0x0000000009630000-memory.dmp

Filesize
320KB

Download
memory/163364-138-0x0000000000000000-mapping.dmp

Download
memory/163364-153-0x0000000008BC0000-0x0000000008C36000-memory.dmp

Filesize
472KB

Download
memory/163364-154-0x0000000008DA0000-0x0000000008DBE000-memory.dmp

Filesize
120KB

Download
memory/163364-148-0x0000000007F30000-0x000000000803A000-memory.dmp

Filesize
1.0MB

Download
memory/163364-155-0x0000000009ED0000-0x000000000A092000-memory.dmp

Filesize
1.8MB

Download
memory/163364-156-0x000000000A5D0000-0x000000000AAFC000-memory.dmp

Filesize
5.2MB

Download
memory/163664-161-0x00000000003C0000-0x00000000003D8000-memory.dmp

Filesize
96KB

Download
memory/163664-158-0x0000000000000000-mapping.dmp

Download
memory/163664-162-0x000000000A2D0000-0x000000000A2DA000-memory.dmp

Filesize
40KB

Download
memory/163756-228-0x0000000000400000-0x0000000001212000-memory.dmp

Filesize
14.1MB

Download
memory/163756-163-0x0000000000000000-mapping.dmp

Download
memory/163756-166-0x0000000000400000-0x0000000001212000-memory.dmp

Filesize
14.1MB

Download
memory/163756-191-0x0000000000400000-0x0000000001212000-memory.dmp

Filesize
14.1MB

Download
memory/163824-167-0x0000000000000000-mapping.dmp

Download