redline | 25fe81874728f7b962f31c47988989f587fac28ba3b8b3dc126c1eb79f772541

Analysis

max time kernel
151s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-08-2022 04:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdd05b9f4943e47fbd5c563d5d7470d5.exe
Size

3.9MB
MD5

bdd05b9f4943e47fbd5c563d5d7470d5
SHA1

8c607681070f16579219eccc0add734b5e4adfcb
SHA256

25fe81874728f7b962f31c47988989f587fac28ba3b8b3dc126c1eb79f772541
SHA512

5816b168dc0953dbacb958459ba089d76b69ff7181f0f52f19efb9ab5d3423067e1e83e9be2e021883d72461af878ef05a8d18961b2f8c0be55d34b4613761f6

Score

10^/10

redline xmrig ytstealer infostealer miner persistence spyware stealer upx

Malware Config

Extracted

Family

redline

185.215.113.69:15544

Attributes

auth_value
fb4317bf0c3365222a03787673dee218

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3568-132-0x0000000000400000-0x0000000000AA8000-memory.dmp	family_redline
behavioral2/memory/215016-137-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2796-170-0x00000000009F0000-0x0000000001802000-memory.dmp	family_ytstealer
behavioral2/memory/2796-189-0x00000000009F0000-0x0000000001802000-memory.dmp	family_ytstealer

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

start.exeSystem.exedllhost.exewinlogson.exe

pid process

2796 start.exe
1956 System.exe
1756 dllhost.exe
5916 winlogson.exe

pid	process
2796	start.exe
1956	System.exe
1756	dllhost.exe
5916	winlogson.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
behavioral2/memory/2796-156-0x00000000009F0000-0x0000000001802000-memory.dmp	upx
behavioral2/memory/2796-170-0x00000000009F0000-0x0000000001802000-memory.dmp	upx
behavioral2/memory/2796-189-0x00000000009F0000-0x0000000001802000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

bdd05b9f4943e47fbd5c563d5d7470d5.exe

description pid process target process

PID 3568 set thread context of 215016 3568 bdd05b9f4943e47fbd5c563d5d7470d5.exe AppLaunch.exe

description	pid	process	target process
PID 3568 set thread context of 215016	3568	bdd05b9f4943e47fbd5c563d5d7470d5.exe	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5348	schtasks.exe
5388	schtasks.exe
5336	schtasks.exe
5316	schtasks.exe
5264	schtasks.exe
5276	schtasks.exe
5288	schtasks.exe
5376	schtasks.exe
5252	schtasks.exe

Modifies registry class 2 IoCs

Processes:

AppLaunch.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	AppLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-1502147629-2175634256-330282290-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeSystem.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
215016	AppLaunch.exe
1956	System.exe
2124	powershell.exe
2124	powershell.exe
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
1280	powershell.exe
1280	powershell.exe
1280	powershell.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe
1756	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660

pid	process
660

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AppLaunch.exeSystem.exepowershell.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	215016	AppLaunch.exe
Token: SeDebugPrivilege	1956	System.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	1280	powershell.exe
Token: SeDebugPrivilege	1756	dllhost.exe
Token: SeLockMemoryPrivilege	5916	winlogson.exe
Token: SeLockMemoryPrivilege	5916	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

5916 winlogson.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

OpenWith.exe

pid process

4968 OpenWith.exe

pid	process
5916	winlogson.exe

pid	process
4968	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bdd05b9f4943e47fbd5c563d5d7470d5.exeAppLaunch.exeSystem.execmd.exestart.exedllhost.exe

description	pid	process	target process
PID 3568 wrote to memory of 215016	3568	bdd05b9f4943e47fbd5c563d5d7470d5.exe	AppLaunch.exe
PID 3568 wrote to memory of 215016	3568	bdd05b9f4943e47fbd5c563d5d7470d5.exe	AppLaunch.exe
PID 3568 wrote to memory of 215016	3568	bdd05b9f4943e47fbd5c563d5d7470d5.exe	AppLaunch.exe
PID 3568 wrote to memory of 215016	3568	bdd05b9f4943e47fbd5c563d5d7470d5.exe	AppLaunch.exe
PID 3568 wrote to memory of 215016	3568	bdd05b9f4943e47fbd5c563d5d7470d5.exe	AppLaunch.exe
PID 215016 wrote to memory of 2796	215016	AppLaunch.exe	start.exe
PID 215016 wrote to memory of 2796	215016	AppLaunch.exe	start.exe
PID 215016 wrote to memory of 1956	215016	AppLaunch.exe	System.exe
PID 215016 wrote to memory of 1956	215016	AppLaunch.exe	System.exe
PID 215016 wrote to memory of 1956	215016	AppLaunch.exe	System.exe
PID 1956 wrote to memory of 2592	1956	System.exe	cmd.exe
PID 1956 wrote to memory of 2592	1956	System.exe	cmd.exe
PID 1956 wrote to memory of 2592	1956	System.exe	cmd.exe
PID 2592 wrote to memory of 2988	2592	cmd.exe	chcp.com
PID 2592 wrote to memory of 2988	2592	cmd.exe	chcp.com
PID 2592 wrote to memory of 2988	2592	cmd.exe	chcp.com
PID 2592 wrote to memory of 2124	2592	cmd.exe	powershell.exe
PID 2592 wrote to memory of 2124	2592	cmd.exe	powershell.exe
PID 2592 wrote to memory of 2124	2592	cmd.exe	powershell.exe
PID 2592 wrote to memory of 3864	2592	cmd.exe	powershell.exe
PID 2592 wrote to memory of 3864	2592	cmd.exe	powershell.exe
PID 2592 wrote to memory of 3864	2592	cmd.exe	powershell.exe
PID 2796 wrote to memory of 4408	2796	start.exe	powershell.exe
PID 2796 wrote to memory of 4408	2796	start.exe	powershell.exe
PID 1956 wrote to memory of 1756	1956	System.exe	dllhost.exe
PID 1956 wrote to memory of 1756	1956	System.exe	dllhost.exe
PID 1956 wrote to memory of 1756	1956	System.exe	dllhost.exe
PID 2592 wrote to memory of 1280	2592	cmd.exe	powershell.exe
PID 2592 wrote to memory of 1280	2592	cmd.exe	powershell.exe
PID 2592 wrote to memory of 1280	2592	cmd.exe	powershell.exe
PID 1756 wrote to memory of 2256	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2256	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2256	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3832	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3832	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3832	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 1008	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 1008	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 1008	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3008	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3008	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3008	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 4704	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 4704	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 4704	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2000	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2000	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2000	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2324	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2324	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2324	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2496	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2496	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 2496	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3528	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3528	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3528	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3800	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3800	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3800	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3200	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3200	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 3200	1756	dllhost.exe	cmd.exe
PID 1756 wrote to memory of 4004	1756	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\bdd05b9f4943e47fbd5c563d5d7470d5.exe
"C:\Users\Admin\AppData\Local\Temp\bdd05b9f4943e47fbd5c563d5d7470d5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:215016

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
4⤵
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:2988

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2256

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5264

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3832

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5276

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3008

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5316

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:1008

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5252

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2000

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5288

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2324

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2496

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5388

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7098" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3800

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7098" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5348

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8258" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3200

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk8258" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5336

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1734" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4004

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk1734" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5376

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9311" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3528

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:5444

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:5488

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:5844

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:5896

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\dllhost.exe

Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json

Filesize
313B

MD5
64f81c0e2f6b9d99650104b626ff657e

SHA1
fca69565549615caa05b34a9a06501dba4f84915

SHA256
3884333484c558c561a113e3dd5930224b1e1cb26eee0674e4459210b21474cf

SHA512
7489947867f4e596a515dd8db537680e5fa574fed98745810112a3d42b47c479ba1c877e3d3d62528295d30eeace2bb265405c22d98abcbebce5e6586b906768

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin

Filesize
1KB

MD5
ac04e6fe877c055ecaeed6e4dabedf18

SHA1
c3d7dfcd0dcfb95ebbff9515024ef0cd9318d9f8

SHA256
ea0e69c72458b3d4cb68218e1e40cb2474cb6f6d72c810cf80ea4e63047fe231

SHA512
3093be34a2b58baca667f943c8d043f4d9e9656d394566ccf5aa4bb1a78256bc55a8745055d3323c050497bf6a91a1745009837ceabf02ac96613bb72bb928fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
fa26c4366c8f5dbe3e40a98a8f5fed36

SHA1
8b1d9af6151ff3c6f184277426a3453f404612fb

SHA256
056db3fe5daf9ababddc27eb9730d7420b9feabb7cc79bad338e09ff7c64fdde

SHA512
5bf3063acb18d527adb647ae1b7b94c928449a7754f0a04089c2d4c761b7c4fcd4dc90e1e371db192b4031aca940aedd55ed0f35fb22f7799906dcefcfeb6744

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b8c344af9906346ff4e2238c2a0a67d0

SHA1
824ef8fe1efcbed78763397814a404d5362898d3

SHA256
469c2949f711e9c783f723e244d314c8e5508a472d10bab225e7d105cec97da0

SHA512
09c139695c1f7655b16f8cfcb4d59bef539977c19410676262a4f0e059aa9098c049985f569239cc6e366a44b89450b3531470be964af0b348c1abaaffd17cd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
b8c344af9906346ff4e2238c2a0a67d0

SHA1
824ef8fe1efcbed78763397814a404d5362898d3

SHA256
469c2949f711e9c783f723e244d314c8e5508a472d10bab225e7d105cec97da0

SHA512
09c139695c1f7655b16f8cfcb4d59bef539977c19410676262a4f0e059aa9098c049985f569239cc6e366a44b89450b3531470be964af0b348c1abaaffd17cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
72KB

MD5
7e03b2609dd2e9506626e5991bcd6f12

SHA1
e2fb7fe2b756bfb88e738d2b292df7ab635fe3d3

SHA256
b1ff384c048f9ac05a326050cfbcb29ebc5d4dc958f056a07c87d6b8282636aa

SHA512
9d199aafeece12fe6800a90282111b4da0fd3359404f42175a9914bb2d6113c2c675f219bae533702a84cfac58ddcb17201072ab72e5389c6ab48b342c4b644e

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe

Filesize
72KB

MD5
7e03b2609dd2e9506626e5991bcd6f12

SHA1
e2fb7fe2b756bfb88e738d2b292df7ab635fe3d3

SHA256
b1ff384c048f9ac05a326050cfbcb29ebc5d4dc958f056a07c87d6b8282636aa

SHA512
9d199aafeece12fe6800a90282111b4da0fd3359404f42175a9914bb2d6113c2c675f219bae533702a84cfac58ddcb17201072ab72e5389c6ab48b342c4b644e

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe

Filesize
4.0MB

MD5
47b29465bb5fcbbd899f1d98af193f06

SHA1
ddd7c01b07939751f734c1e9b7aa17853447e02c

SHA256
a54ac89930406913a3b0b3b8e3ef738135a9b7fa54b01578f870e26ee9f99efb

SHA512
838a170802283f318712195402dc26dc601d2f81d3dae1f32309e532af732808c1a8b03c80f7dcf99b2ae94276678bb4211a44ebe889335da34a6083c4bd31f8

Download Submit
memory/1008-199-0x0000000000000000-mapping.dmp

Download
memory/1280-217-0x0000000071E00000-0x0000000071E4C000-memory.dmp

Filesize
304KB

Download
memory/1280-195-0x0000000000000000-mapping.dmp

Download
memory/1756-194-0x0000000000A20000-0x0000000000B14000-memory.dmp

Filesize
976KB

Download
memory/1756-190-0x0000000000000000-mapping.dmp

Download
memory/1956-157-0x0000000000000000-mapping.dmp

Download
memory/1956-160-0x0000000000CA0000-0x0000000000CB8000-memory.dmp

Filesize
96KB

Download
memory/1956-161-0x000000000AA10000-0x000000000AA1A000-memory.dmp

Filesize
40KB

Download
memory/2000-202-0x0000000000000000-mapping.dmp

Download
memory/2124-178-0x0000000007580000-0x000000000758E000-memory.dmp

Filesize
56KB

Download
memory/2124-171-0x00000000071D0000-0x0000000007202000-memory.dmp

Filesize
200KB

Download
memory/2124-164-0x0000000000000000-mapping.dmp

Download
memory/2124-165-0x00000000026E0000-0x0000000002716000-memory.dmp

Filesize
216KB

Download
memory/2124-166-0x00000000052C0000-0x00000000058E8000-memory.dmp

Filesize
6.2MB

Download
memory/2124-167-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/2124-168-0x0000000005A70000-0x0000000005AD6000-memory.dmp

Filesize
408KB

Download
memory/2124-169-0x0000000006010000-0x000000000602E000-memory.dmp

Filesize
120KB

Download
memory/2124-180-0x00000000075C0000-0x00000000075C8000-memory.dmp

Filesize
32KB

Download
memory/2124-179-0x0000000007680000-0x000000000769A000-memory.dmp

Filesize
104KB

Download
memory/2124-172-0x0000000071E00000-0x0000000071E4C000-memory.dmp

Filesize
304KB

Download
memory/2124-173-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/2124-174-0x00000000079B0000-0x000000000802A000-memory.dmp

Filesize
6.5MB

Download
memory/2124-175-0x0000000007350000-0x000000000736A000-memory.dmp

Filesize
104KB

Download
memory/2124-176-0x00000000073B0000-0x00000000073BA000-memory.dmp

Filesize
40KB

Download
memory/2124-177-0x00000000075E0000-0x0000000007676000-memory.dmp

Filesize
600KB

Download
memory/2256-197-0x0000000000000000-mapping.dmp

Download
memory/2324-203-0x0000000000000000-mapping.dmp

Download
memory/2496-204-0x0000000000000000-mapping.dmp

Download
memory/2592-162-0x0000000000000000-mapping.dmp

Download
memory/2796-170-0x00000000009F0000-0x0000000001802000-memory.dmp

Filesize
14.1MB

Download
memory/2796-153-0x0000000000000000-mapping.dmp

Download
memory/2796-156-0x00000000009F0000-0x0000000001802000-memory.dmp

Filesize
14.1MB

Download
memory/2796-189-0x00000000009F0000-0x0000000001802000-memory.dmp

Filesize
14.1MB

Download
memory/2988-163-0x0000000000000000-mapping.dmp

Download
memory/3008-200-0x0000000000000000-mapping.dmp

Download
memory/3200-207-0x0000000000000000-mapping.dmp

Download
memory/3528-205-0x0000000000000000-mapping.dmp

Download
memory/3568-132-0x0000000000400000-0x0000000000AA8000-memory.dmp

Filesize
6.7MB

Download
memory/3800-206-0x0000000000000000-mapping.dmp

Download
memory/3832-198-0x0000000000000000-mapping.dmp

Download
memory/3864-185-0x0000000071E00000-0x0000000071E4C000-memory.dmp

Filesize
304KB

Download
memory/3864-181-0x0000000000000000-mapping.dmp

Download
memory/4004-208-0x0000000000000000-mapping.dmp

Download
memory/4408-187-0x00007FFC82BE0000-0x00007FFC836A1000-memory.dmp

Filesize
10.8MB

Download
memory/4408-186-0x0000021DF2B10000-0x0000021DF2B32000-memory.dmp

Filesize
136KB

Download
memory/4408-184-0x0000000000000000-mapping.dmp

Download
memory/4408-188-0x00007FFC82BE0000-0x00007FFC836A1000-memory.dmp

Filesize
10.8MB

Download
memory/4704-201-0x0000000000000000-mapping.dmp

Download
memory/5252-209-0x0000000000000000-mapping.dmp

Download
memory/5264-210-0x0000000000000000-mapping.dmp

Download
memory/5276-212-0x0000000000000000-mapping.dmp

Download
memory/5288-211-0x0000000000000000-mapping.dmp

Download
memory/5316-213-0x0000000000000000-mapping.dmp

Download
memory/5336-214-0x0000000000000000-mapping.dmp

Download
memory/5348-215-0x0000000000000000-mapping.dmp

Download
memory/5376-216-0x0000000000000000-mapping.dmp

Download
memory/5444-219-0x0000000000000000-mapping.dmp

Download
memory/5488-220-0x0000000000000000-mapping.dmp

Download
memory/5844-221-0x0000000000000000-mapping.dmp

Download
memory/5896-222-0x0000000000000000-mapping.dmp

Download
memory/5916-223-0x0000000000000000-mapping.dmp

Download
memory/5916-226-0x000001F649510000-0x000001F649530000-memory.dmp

Filesize
128KB

Download
memory/5916-228-0x000001F649560000-0x000001F6495A0000-memory.dmp

Filesize
256KB

Download
memory/5916-229-0x000001F6495A0000-0x000001F6495C0000-memory.dmp

Filesize
128KB

Download
memory/5916-230-0x000001F6495A0000-0x000001F6495C0000-memory.dmp

Filesize
128KB

Download
memory/215016-152-0x00000000074C0000-0x00000000079EC000-memory.dmp

Filesize
5.2MB

Download
memory/215016-143-0x0000000005250000-0x0000000005262000-memory.dmp

Filesize
72KB

Download
memory/215016-144-0x0000000005380000-0x000000000548A000-memory.dmp

Filesize
1.0MB

Download
memory/215016-149-0x0000000005770000-0x000000000578E000-memory.dmp

Filesize
120KB

Download
memory/215016-151-0x0000000006DC0000-0x0000000006F82000-memory.dmp

Filesize
1.8MB

Download
memory/215016-145-0x00000000052B0000-0x00000000052EC000-memory.dmp

Filesize
240KB

Download
memory/215016-142-0x0000000005870000-0x0000000005E88000-memory.dmp

Filesize
6.1MB

Download
memory/215016-136-0x0000000000000000-mapping.dmp

Download
memory/215016-146-0x0000000006440000-0x00000000069E4000-memory.dmp

Filesize
5.6MB

Download
memory/215016-137-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/215016-147-0x0000000005790000-0x0000000005822000-memory.dmp

Filesize
584KB

Download
memory/215016-150-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/215016-148-0x0000000005E90000-0x0000000005F06000-memory.dmp

Filesize
472KB

Download