redline | aec0e1cfd256897d421f243f1b4cb482995ca2ef910f8b3d8113632f3e71e315

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2022 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Injector.exe
Size

2.4MB
MD5

cb0145387a030a5752379a0e5d4c19ca
SHA1

b8c040fbc133fb39c8081d9aa20520876f0a72af
SHA256

aec0e1cfd256897d421f243f1b4cb482995ca2ef910f8b3d8113632f3e71e315
SHA512

ea064ac9dae9eb91408baac94acaa2215c6e34c151d49b814740216de8e8c5c9ceac1f47a486aadeb328c22ddb0ed8913997a2517475cb906ddbd7aeeddc2ae9
SSDEEP

24576:vMWtYESYcYklrbgwMWclhnYewyozyTSSOZo4ynYhLmVQLbSNdt0FdNeJFIl3RuQW:EgYPFyozyDnYhLmVQ2xIl32

Score

10^/10

redline xmrig ytstealer infostealer miner persistence spyware stealer upx

Malware Config

Extracted

Family

redline

193.106.191.160:8673

Attributes

auth_value
ca4f0d882489c8ec9829dd7a4f352198

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/150636-133-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

YTStealer
YTStealer is a malware designed to steal YouTube authentication cookies.
stealer ytstealer

YTStealer payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/151244-177-0x00000000002B0000-0x0000000001088000-memory.dmp	family_ytstealer
behavioral2/memory/151244-183-0x00000000002B0000-0x0000000001088000-memory.dmp	family_ytstealer

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

yu.exeMainModule.exedllhost.exewinlogson.exe

pid process

151244 yu.exe
151272 MainModule.exe
992 dllhost.exe
6632 winlogson.exe

pid	process
151244	yu.exe
151272	MainModule.exe
992	dllhost.exe
6632	winlogson.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\yu.exe	upx
C:\Users\Admin\AppData\Roaming\yu.exe	upx
behavioral2/memory/151244-157-0x00000000002B0000-0x0000000001088000-memory.dmp	upx
behavioral2/memory/151244-177-0x00000000002B0000-0x0000000001088000-memory.dmp	upx
behavioral2/memory/151244-183-0x00000000002B0000-0x0000000001088000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

Injector.exe

description pid process target process

PID 1316 set thread context of 150636 1316 Injector.exe AppLaunch.exe

description	pid	process	target process
PID 1316 set thread context of 150636	1316	Injector.exe	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2712	schtasks.exe
376	schtasks.exe
3228	schtasks.exe
2548	schtasks.exe
3920	schtasks.exe
2432	schtasks.exe
4492	schtasks.exe
1460	schtasks.exe
4504	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeMainModule.exepowershell.exepowershell.exeyu.exepowershell.exedllhost.exe

pid	process
150636	AppLaunch.exe
151272	MainModule.exe
4848	powershell.exe
4848	powershell.exe
320	powershell.exe
320	powershell.exe
151244	yu.exe
151244	yu.exe
151244	yu.exe
151244	yu.exe
4900	powershell.exe
4900	powershell.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe
992	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

640

pid	process
640

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AppLaunch.exeMainModule.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	150636	AppLaunch.exe
Token: SeDebugPrivilege	151272	MainModule.exe
Token: SeDebugPrivilege	4848	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	4900	powershell.exe
Token: SeDebugPrivilege	992	dllhost.exe
Token: SeLockMemoryPrivilege	6632	winlogson.exe
Token: SeLockMemoryPrivilege	6632	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

6632 winlogson.exe

pid	process
6632	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Injector.exeAppLaunch.exeMainModule.execmd.exeyu.execmd.exedllhost.exe

description	pid	process	target process
PID 1316 wrote to memory of 150636	1316	Injector.exe	AppLaunch.exe
PID 1316 wrote to memory of 150636	1316	Injector.exe	AppLaunch.exe
PID 1316 wrote to memory of 150636	1316	Injector.exe	AppLaunch.exe
PID 1316 wrote to memory of 150636	1316	Injector.exe	AppLaunch.exe
PID 1316 wrote to memory of 150636	1316	Injector.exe	AppLaunch.exe
PID 150636 wrote to memory of 151244	150636	AppLaunch.exe	yu.exe
PID 150636 wrote to memory of 151244	150636	AppLaunch.exe	yu.exe
PID 150636 wrote to memory of 151272	150636	AppLaunch.exe	MainModule.exe
PID 150636 wrote to memory of 151272	150636	AppLaunch.exe	MainModule.exe
PID 150636 wrote to memory of 151272	150636	AppLaunch.exe	MainModule.exe
PID 151272 wrote to memory of 150652	151272	MainModule.exe	cmd.exe
PID 151272 wrote to memory of 150652	151272	MainModule.exe	cmd.exe
PID 151272 wrote to memory of 150652	151272	MainModule.exe	cmd.exe
PID 150652 wrote to memory of 150628	150652	cmd.exe	chcp.com
PID 150652 wrote to memory of 150628	150652	cmd.exe	chcp.com
PID 150652 wrote to memory of 150628	150652	cmd.exe	chcp.com
PID 150652 wrote to memory of 4848	150652	cmd.exe	powershell.exe
PID 150652 wrote to memory of 4848	150652	cmd.exe	powershell.exe
PID 150652 wrote to memory of 4848	150652	cmd.exe	powershell.exe
PID 150652 wrote to memory of 320	150652	cmd.exe	powershell.exe
PID 150652 wrote to memory of 320	150652	cmd.exe	powershell.exe
PID 150652 wrote to memory of 320	150652	cmd.exe	powershell.exe
PID 151244 wrote to memory of 4248	151244	yu.exe	cmd.exe
PID 151244 wrote to memory of 4248	151244	yu.exe	cmd.exe
PID 4248 wrote to memory of 5084	4248	cmd.exe	choice.exe
PID 4248 wrote to memory of 5084	4248	cmd.exe	choice.exe
PID 150652 wrote to memory of 4900	150652	cmd.exe	powershell.exe
PID 150652 wrote to memory of 4900	150652	cmd.exe	powershell.exe
PID 150652 wrote to memory of 4900	150652	cmd.exe	powershell.exe
PID 151272 wrote to memory of 992	151272	MainModule.exe	dllhost.exe
PID 151272 wrote to memory of 992	151272	MainModule.exe	dllhost.exe
PID 151272 wrote to memory of 992	151272	MainModule.exe	dllhost.exe
PID 992 wrote to memory of 4192	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 4192	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 4192	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2400	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2400	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2400	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 620	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 620	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 620	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 3800	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 3800	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 3800	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2916	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2916	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2916	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 4720	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 4720	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 4720	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2200	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2200	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2200	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2332	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2332	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2332	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 3104	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 3104	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 3104	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2044	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2044	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 2044	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 1732	992	dllhost.exe	cmd.exe
PID 992 wrote to memory of 1732	992	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:150636

C:\Users\Admin\AppData\Roaming\yu.exe
"C:\Users\Admin\AppData\Roaming\yu.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:151244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\AppData\Roaming\yu.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:5084

C:\Users\Admin\AppData\Roaming\MainModule.exe
"C:\Users\Admin\AppData\Roaming\MainModule.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:151272

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
4⤵
- Suspicious use of WriteProcessMemory
PID:150652

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:150628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4848

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4900

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4192

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:2432

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2400

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:2712

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:620

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:376

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2916

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3800

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3228

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4720

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2200

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:2548

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6732" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3104

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk6732" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4492

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1019" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2044

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk1019" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4504

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2332

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3920

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk5624" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:1732

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk5624" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:1460

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk6031" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3900

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:5148

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:5196

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:6564

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:6616

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6632

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
951KB

MD5
2f65aa26f19b301f51a2d954f1c26821

SHA1
63acc00e697efdeaa57f7657e6d95758173e482e

SHA256
c01ed91474cdef0cd5d17a6b36a41c8ebc919abc133c04af3d1f4df67dfe590d

SHA512
af732f9cac31fde6de525faed92b468b38acda3ffca9c94f2c41f027b01e65dacc085c7d8563462f71d8573c2190a6014d79490e9cb0af5ca37ebf26a3aaa326

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
313B

MD5
9c0c33e2336fe3764441875148694042

SHA1
d5aea1f5db73fa371447a8a7ecbfe9d7afbae2a4

SHA256
f1f47f1f2a97511a27ca9e05252c42f83086bbd460d635fdae83366086dd73e8

SHA512
b53cf66be6af52bf64b20d626353944e07a17ddab0b16f1036f968aa76b7ed27a6d6316469ac6a0bc501001c8d9c2d8954b586bffec4c5f1095f414822877c40

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
2808c094a5f0d95222a3a49869a88407

SHA1
2a09eb4284fc916ba893c664c0986390ac34df44

SHA256
81455985e362912b11187efee1a80a86a94ded8f67a23ba89f898be704b87ab9

SHA512
8d057ee3f6d84fb0d656416bc150f132aef04c73bbaa422c1dcda4e86360f83bf7cf1be361f627ca66de02b68c905ee347a402b52282d6dba5d32373d009707f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
0075ed603c608434024e4ccda35d2018

SHA1
58c6034c32f53fe5b0155fa915529ccb4224b573

SHA256
3efdc77d1f8e34f84c3a9c86b224e3574237342fe903dfa8ce33a7fa026c03c7

SHA512
4ac869a22f89685b389746790a342ff05758d51c6917806d4358fc9f29bf3485d0b2d883d0a01da52a2071c42058797e60108dbf92aa273eead328d6148190d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
51977cd7e62e127bfe765cb2d43af2e4

SHA1
42c25ebc02f9f2fd20453b4f4274052eb174c630

SHA256
05199adfa2f5708dd572229d548b0f844366dbc5c4541a45d3fb317b20e4495f

SHA512
5a8d513f7a2de511b9b5c9a64ec5f0915d3ee0e62780f6b8c4f4831effd2f4d273e3b11e74dc59375d38ad0d2d29bf1b506bbddf7c253454ec9f8cab943d1330

Download Submit
C:\Users\Admin\AppData\Roaming\MainModule.exe
Filesize
71KB

MD5
cbf8cd57b7218d9d64a5d5f619c8627b

SHA1
e371e286526bb65f8696760b492e42c3339f21ba

SHA256
8d7c856957e45c916388d4bcfc32b6188cfad9f0ee07917b1a0d720421ba606e

SHA512
78ea79db46a989bc547f6d409cc96fdbc32c9050280af2ec4e49002f668eb447566ecf6a4f1c41a5d9f31d8e5dbaa274653c0f27307c59e72aa449a6e5a7e026

Download Submit
C:\Users\Admin\AppData\Roaming\MainModule.exe
Filesize
71KB

MD5
cbf8cd57b7218d9d64a5d5f619c8627b

SHA1
e371e286526bb65f8696760b492e42c3339f21ba

SHA256
8d7c856957e45c916388d4bcfc32b6188cfad9f0ee07917b1a0d720421ba606e

SHA512
78ea79db46a989bc547f6d409cc96fdbc32c9050280af2ec4e49002f668eb447566ecf6a4f1c41a5d9f31d8e5dbaa274653c0f27307c59e72aa449a6e5a7e026

Download Submit
C:\Users\Admin\AppData\Roaming\yu.exe
Filesize
4.0MB

MD5
da70d0aab8cad0887e5e9b5174c9d87d

SHA1
af5096c0b9fd4f4926850c4479c8e0e0eac8c91b

SHA256
6617c1ab08b88711538b600fc4c5cf76098088b436185f5590cdb0e1fc1f6b13

SHA512
c100a08bccfa00dcf93160b6174940db1b6839aafbbaec8caa25c4c0e004c96aebf243552df85b7dff56915401bfcb0ecb9caa9bce2edf0d29a9b52c849ebcc5

Download Submit
C:\Users\Admin\AppData\Roaming\yu.exe
Filesize
4.0MB

MD5
da70d0aab8cad0887e5e9b5174c9d87d

SHA1
af5096c0b9fd4f4926850c4479c8e0e0eac8c91b

SHA256
6617c1ab08b88711538b600fc4c5cf76098088b436185f5590cdb0e1fc1f6b13

SHA512
c100a08bccfa00dcf93160b6174940db1b6839aafbbaec8caa25c4c0e004c96aebf243552df85b7dff56915401bfcb0ecb9caa9bce2edf0d29a9b52c849ebcc5

Download Submit
memory/320-181-0x0000000071BD0000-0x0000000071C1C000-memory.dmp

Filesize
304KB

Download
memory/320-178-0x0000000000000000-mapping.dmp

Download
memory/376-206-0x0000000000000000-mapping.dmp

Download
memory/620-194-0x0000000000000000-mapping.dmp

Download
memory/992-187-0x0000000000000000-mapping.dmp

Download
memory/992-190-0x0000000000A00000-0x0000000000AF4000-memory.dmp

Filesize
976KB

Download
memory/1460-212-0x0000000000000000-mapping.dmp

Download
memory/1732-202-0x0000000000000000-mapping.dmp

Download
memory/2044-201-0x0000000000000000-mapping.dmp

Download
memory/2200-198-0x0000000000000000-mapping.dmp

Download
memory/2332-199-0x0000000000000000-mapping.dmp

Download
memory/2400-193-0x0000000000000000-mapping.dmp

Download
memory/2432-204-0x0000000000000000-mapping.dmp

Download
memory/2548-208-0x0000000000000000-mapping.dmp

Download
memory/2712-205-0x0000000000000000-mapping.dmp

Download
memory/2916-196-0x0000000000000000-mapping.dmp

Download
memory/3104-200-0x0000000000000000-mapping.dmp

Download
memory/3228-207-0x0000000000000000-mapping.dmp

Download
memory/3800-195-0x0000000000000000-mapping.dmp

Download
memory/3900-203-0x0000000000000000-mapping.dmp

Download
memory/3920-209-0x0000000000000000-mapping.dmp

Download
memory/4192-192-0x0000000000000000-mapping.dmp

Download
memory/4248-182-0x0000000000000000-mapping.dmp

Download
memory/4492-210-0x0000000000000000-mapping.dmp

Download
memory/4504-211-0x0000000000000000-mapping.dmp

Download
memory/4720-197-0x0000000000000000-mapping.dmp

Download
memory/4848-167-0x0000000007710000-0x0000000007742000-memory.dmp

Filesize
200KB

Download
memory/4848-174-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

Filesize
56KB

Download
memory/4848-162-0x0000000004F80000-0x0000000004FB6000-memory.dmp

Filesize
216KB

Download
memory/4848-164-0x0000000005DE0000-0x0000000005E02000-memory.dmp

Filesize
136KB

Download
memory/4848-161-0x0000000000000000-mapping.dmp

Download
memory/4848-170-0x0000000007EF0000-0x000000000856A000-memory.dmp

Filesize
6.5MB

Download
memory/4848-165-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/4848-175-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

Filesize
104KB

Download
memory/4848-171-0x0000000007870000-0x000000000788A000-memory.dmp

Filesize
104KB

Download
memory/4848-163-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/4848-168-0x0000000071BD0000-0x0000000071C1C000-memory.dmp

Filesize
304KB

Download
memory/4848-169-0x0000000006B10000-0x0000000006B2E000-memory.dmp

Filesize
120KB

Download
memory/4848-166-0x0000000006560000-0x000000000657E000-memory.dmp

Filesize
120KB

Download
memory/4848-176-0x0000000007AF0000-0x0000000007AF8000-memory.dmp

Filesize
32KB

Download
memory/4848-173-0x0000000007B00000-0x0000000007B96000-memory.dmp

Filesize
600KB

Download
memory/4848-172-0x00000000078D0000-0x00000000078DA000-memory.dmp

Filesize
40KB

Download
memory/4900-191-0x0000000071BD0000-0x0000000071C1C000-memory.dmp

Filesize
304KB

Download
memory/4900-185-0x0000000000000000-mapping.dmp

Download
memory/5084-184-0x0000000000000000-mapping.dmp

Download
memory/5148-214-0x0000000000000000-mapping.dmp

Download
memory/5196-215-0x0000000000000000-mapping.dmp

Download
memory/6564-216-0x0000000000000000-mapping.dmp

Download
memory/6616-217-0x0000000000000000-mapping.dmp

Download
memory/6632-218-0x0000000000000000-mapping.dmp

Download
memory/6632-221-0x000001D1C6720000-0x000001D1C6740000-memory.dmp

Filesize
128KB

Download
memory/6632-224-0x000001D25A5C0000-0x000001D25A5E0000-memory.dmp

Filesize
128KB

Download
memory/6632-223-0x000001D1C8010000-0x000001D1C8050000-memory.dmp

Filesize
256KB

Download
memory/6632-225-0x000001D25A5C0000-0x000001D25A5E0000-memory.dmp

Filesize
128KB

Download
memory/150628-160-0x0000000000000000-mapping.dmp

Download
memory/150636-147-0x00000000065F0000-0x0000000006640000-memory.dmp

Filesize
320KB

Download
memory/150636-138-0x0000000005850000-0x0000000005E68000-memory.dmp

Filesize
6.1MB

Download
memory/150636-142-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/150636-132-0x0000000000000000-mapping.dmp

Download
memory/150636-144-0x0000000006290000-0x0000000006322000-memory.dmp

Filesize
584KB

Download
memory/150636-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/150636-143-0x0000000006170000-0x00000000061E6000-memory.dmp

Filesize
472KB

Download
memory/150636-145-0x00000000068E0000-0x0000000006E84000-memory.dmp

Filesize
5.6MB

Download
memory/150636-141-0x0000000005270000-0x00000000052AC000-memory.dmp

Filesize
240KB

Download
memory/150636-140-0x0000000005340000-0x000000000544A000-memory.dmp

Filesize
1.0MB

Download
memory/150636-146-0x0000000006430000-0x000000000644E000-memory.dmp

Filesize
120KB

Download
memory/150636-148-0x0000000007B10000-0x0000000007CD2000-memory.dmp

Filesize
1.8MB

Download
memory/150636-149-0x0000000008210000-0x000000000873C000-memory.dmp

Filesize
5.2MB

Download
memory/150636-139-0x0000000002DC0000-0x0000000002DD2000-memory.dmp

Filesize
72KB

Download
memory/150652-159-0x0000000000000000-mapping.dmp

Download
memory/151244-183-0x00000000002B0000-0x0000000001088000-memory.dmp

Filesize
13.8MB

Download
memory/151244-157-0x00000000002B0000-0x0000000001088000-memory.dmp

Filesize
13.8MB

Download
memory/151244-150-0x0000000000000000-mapping.dmp

Download
memory/151244-177-0x00000000002B0000-0x0000000001088000-memory.dmp

Filesize
13.8MB

Download
memory/151272-153-0x0000000000000000-mapping.dmp

Download
memory/151272-158-0x00000000049C0000-0x00000000049CA000-memory.dmp

Filesize
40KB

Download
memory/151272-156-0x0000000000170000-0x0000000000188000-memory.dmp

Filesize
96KB

Download