redline | 734ea8ecd523dc64cca5a8c4c0541bef85d30caff7c5f90c68071716ed1f9957

Resubmissions

10-04-2023 12:20

230410-phv92sba6v 10

24-09-2022 19:08

220924-xtgj2abgg8 10

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-09-2022 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Injector.exe
Size

2.6MB
MD5

1e927277321ea1ad6ea6adb21b93ecd8
SHA1

e9f631c34c72ba0ea2cba5e8a43a5e25971a7960
SHA256

734ea8ecd523dc64cca5a8c4c0541bef85d30caff7c5f90c68071716ed1f9957
SHA512

5f80620b7ead02fca31f65b3322a9bdbee5f17c53c5c4e957cef0c57246f1af25421a7dc8f81e1099f9a67b6d8c0da9eb09a78d5e3b7edad82be3b363aefc94f
SSDEEP

24576:eOuJEYEHyIvTv3YlYhIEY3uuMfqdKrRNFPVHKyako+LhVag+eyjtLjHuvLl3RuQi:LuJxESIvTscrDakXadeyjtGvLl3C

Score

10^/10

redline xmrig infostealer miner persistence spyware

Malware Config

Extracted

Family

redline

185.215.113.69:15544

Attributes

auth_value
f8fe4a8075f18f92567eec19f355197c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/100668-133-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

System.exedllhost.exewinlogson.exe

pid process

101244 System.exe
212 dllhost.exe
5148 winlogson.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
101244	System.exe
212	dllhost.exe
5148	winlogson.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Injector.exe

description pid process target process

PID 4992 set thread context of 100668 4992 Injector.exe AppLaunch.exe

description	pid	process	target process
PID 4992 set thread context of 100668	4992	Injector.exe	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3756	schtasks.exe
4320	schtasks.exe
3204	schtasks.exe
3700	schtasks.exe
4196	schtasks.exe
620	schtasks.exe
3148	schtasks.exe
3272	schtasks.exe
2236	schtasks.exe
4460	schtasks.exe
3180	schtasks.exe
5084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeSystem.exepowershell.exepowershell.exepowershell.exedllhost.exe

pid	process
100668	AppLaunch.exe
101244	System.exe
1512	powershell.exe
1512	powershell.exe
1844	powershell.exe
1844	powershell.exe
1220	powershell.exe
1220	powershell.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe
212	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

652

pid	process
652

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AppLaunch.exeSystem.exepowershell.exepowershell.exepowershell.exedllhost.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	100668	AppLaunch.exe
Token: SeDebugPrivilege	101244	System.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	212	dllhost.exe
Token: SeLockMemoryPrivilege	5148	winlogson.exe
Token: SeLockMemoryPrivilege	5148	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

5148 winlogson.exe

pid	process
5148	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Injector.exeAppLaunch.exeSystem.execmd.exedllhost.execmd.exe

description	pid	process	target process
PID 4992 wrote to memory of 100668	4992	Injector.exe	AppLaunch.exe
PID 4992 wrote to memory of 100668	4992	Injector.exe	AppLaunch.exe
PID 4992 wrote to memory of 100668	4992	Injector.exe	AppLaunch.exe
PID 4992 wrote to memory of 100668	4992	Injector.exe	AppLaunch.exe
PID 4992 wrote to memory of 100668	4992	Injector.exe	AppLaunch.exe
PID 100668 wrote to memory of 101244	100668	AppLaunch.exe	System.exe
PID 100668 wrote to memory of 101244	100668	AppLaunch.exe	System.exe
PID 100668 wrote to memory of 101244	100668	AppLaunch.exe	System.exe
PID 101244 wrote to memory of 4108	101244	System.exe	cmd.exe
PID 101244 wrote to memory of 4108	101244	System.exe	cmd.exe
PID 101244 wrote to memory of 4108	101244	System.exe	cmd.exe
PID 4108 wrote to memory of 3304	4108	cmd.exe	chcp.com
PID 4108 wrote to memory of 3304	4108	cmd.exe	chcp.com
PID 4108 wrote to memory of 3304	4108	cmd.exe	chcp.com
PID 4108 wrote to memory of 1512	4108	cmd.exe	powershell.exe
PID 4108 wrote to memory of 1512	4108	cmd.exe	powershell.exe
PID 4108 wrote to memory of 1512	4108	cmd.exe	powershell.exe
PID 4108 wrote to memory of 1844	4108	cmd.exe	powershell.exe
PID 4108 wrote to memory of 1844	4108	cmd.exe	powershell.exe
PID 4108 wrote to memory of 1844	4108	cmd.exe	powershell.exe
PID 4108 wrote to memory of 1220	4108	cmd.exe	powershell.exe
PID 4108 wrote to memory of 1220	4108	cmd.exe	powershell.exe
PID 4108 wrote to memory of 1220	4108	cmd.exe	powershell.exe
PID 101244 wrote to memory of 212	101244	System.exe	dllhost.exe
PID 101244 wrote to memory of 212	101244	System.exe	dllhost.exe
PID 101244 wrote to memory of 212	101244	System.exe	dllhost.exe
PID 212 wrote to memory of 4864	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 4864	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 4864	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3896	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3896	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3896	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 4856	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 4856	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 4856	212	dllhost.exe	cmd.exe
PID 4864 wrote to memory of 3756	4864	cmd.exe	schtasks.exe
PID 4864 wrote to memory of 3756	4864	cmd.exe	schtasks.exe
PID 4864 wrote to memory of 3756	4864	cmd.exe	schtasks.exe
PID 212 wrote to memory of 3480	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3480	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3480	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3476	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3476	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3476	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3724	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3724	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3724	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3372	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3372	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3372	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3796	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3796	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3796	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 2248	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 2248	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 2248	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 1488	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 1488	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 1488	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3884	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3884	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 3884	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 744	212	dllhost.exe	cmd.exe
PID 212 wrote to memory of 744	212	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\Injector.exe
"C:\Users\Admin\AppData\Local\Temp\Injector.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:100668

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:101244

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
4⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:3304

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:4864

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3756

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3896

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4320

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4856

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3204

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3480

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3700

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3476

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3148

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3724

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4460

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3796

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:2236

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3372

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3272

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9818" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2248

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk9818" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:5084

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5116" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:1488

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk5116" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4196

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7762" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3884

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk7762" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:620

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk635" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:744

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk635" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3180

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:1988

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:3912

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:3464

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:5128

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
61KB

MD5
d5a003e50c058f6474915597fe27bfea

SHA1
715a1a2b9d1ba6c886d2039089b94e96ea8bb687

SHA256
a3a9409c768e578c2beb391daf4e0fb697031be3942aff8402624cce659fcb07

SHA512
af591a1bc6e26d625f328f5d45ea31ce0e04b55b6d9ca614cd811c555a7defddbabaac48599e54ead0f9c46b3e33e7bae5c6013881daf560b4369f1f214499a5

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
61KB

MD5
d5a003e50c058f6474915597fe27bfea

SHA1
715a1a2b9d1ba6c886d2039089b94e96ea8bb687

SHA256
a3a9409c768e578c2beb391daf4e0fb697031be3942aff8402624cce659fcb07

SHA512
af591a1bc6e26d625f328f5d45ea31ce0e04b55b6d9ca614cd811c555a7defddbabaac48599e54ead0f9c46b3e33e7bae5c6013881daf560b4369f1f214499a5

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
312B

MD5
83abe83087b498d71ced91274fd24992

SHA1
3ed4e818f9c0a08ecc456e4ab155eb077736f296

SHA256
6289676064062accfe5fd67f2d14261a4d00525d2b8e33791bb2b462b0fb3573

SHA512
b7b98abc7ef054e2987bf985f9680edc6aa37006efbaee6c3b4c11e83d37976be10ab61c049c7e0c5e3585ebcccadf9e1d84f0cd3a070ce4f7dd37530dca0a80

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
429f99d045bf7ae258f163a5eabaf778

SHA1
878102dba45e479fcc44afa9b8bb6ccf3cc00da1

SHA256
2cd8f317837efbaf8b5e48990e87edcd2e6356c3da9b353fc6e03ac55ba528db

SHA512
85f40f01c48e6e28030b47600690a29edf984d1b202476720b5c5af281e1ffe2f8206bb4d2dbfdd56ed3b79b09acab4e721f69197792644d15721b16b985a2f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
59fe3618b8236fdb8eee02f5116c9cc4

SHA1
936d87a4f5388d68a6d05d9c4e778e10f9a72dcd

SHA256
b70907cd0241405df7f1e660ed89c961b8dfb3ebcbe10827e3c6b5ed8864e680

SHA512
cec703640d3d061adc264b7b5f319a88eb748d256ee8bccf8135d2959f773fef19056fe5c480675e68b63fe10e0bd489d744459a2a06df754f73c82ea433276d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
07dd3d4ad4ba3117e44b8ed08275edfb

SHA1
798d3c3e055351c1f7f7654c2883c09c03da3511

SHA256
d77a6e3a23566c4040dc9e0ff36f688b6db637de103d0a88a23cd2cea0afa9cd

SHA512
8bdff4c4997ec6db5f79fe5e79bda70b678c604fd75095bc4cf9fa877608e9ed07e268e97cb8615febc307a7fb3f88ba90768dddc04ac7b7027832a7e01682cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe
Filesize
56KB

MD5
1fa019a344896797059379e30f6a570d

SHA1
777352079c99d4b18f6b9db603dff3613dc174f0

SHA256
85a7379a1f8c2b8f6696b658443b0675b8e6da3dab4d2006dc617429cafdaa0b

SHA512
1a2c175406dee81b07e6464b48e62645e93172182c34a4f439397aba985c5c123845df9b1e1f801fbaac02faea1be867b1be70879f3321dfe8fe5fbb300e1d74

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe
Filesize
56KB

MD5
1fa019a344896797059379e30f6a570d

SHA1
777352079c99d4b18f6b9db603dff3613dc174f0

SHA256
85a7379a1f8c2b8f6696b658443b0675b8e6da3dab4d2006dc617429cafdaa0b

SHA512
1a2c175406dee81b07e6464b48e62645e93172182c34a4f439397aba985c5c123845df9b1e1f801fbaac02faea1be867b1be70879f3321dfe8fe5fbb300e1d74

Download Submit
memory/212-179-0x0000000000000000-mapping.dmp

Download
memory/212-182-0x0000000000610000-0x0000000000626000-memory.dmp

Filesize
88KB

Download
memory/212-210-0x00000000051D0000-0x00000000051DA000-memory.dmp

Filesize
40KB

Download
memory/620-205-0x0000000000000000-mapping.dmp

Download
memory/744-195-0x0000000000000000-mapping.dmp

Download
memory/1220-178-0x000000006FFB0000-0x000000006FFFC000-memory.dmp

Filesize
304KB

Download
memory/1220-176-0x0000000000000000-mapping.dmp

Download
memory/1488-193-0x0000000000000000-mapping.dmp

Download
memory/1512-157-0x00000000033C0000-0x00000000033F6000-memory.dmp

Filesize
216KB

Download
memory/1512-170-0x0000000007FE0000-0x0000000007FFA000-memory.dmp

Filesize
104KB

Download
memory/1512-156-0x0000000000000000-mapping.dmp

Download
memory/1512-158-0x0000000005D30000-0x0000000006358000-memory.dmp

Filesize
6.2MB

Download
memory/1512-159-0x0000000005BD0000-0x0000000005BF2000-memory.dmp

Filesize
136KB

Download
memory/1512-160-0x0000000005C80000-0x0000000005CE6000-memory.dmp

Filesize
408KB

Download
memory/1512-161-0x0000000006990000-0x00000000069AE000-memory.dmp

Filesize
120KB

Download
memory/1512-162-0x0000000006F60000-0x0000000006F92000-memory.dmp

Filesize
200KB

Download
memory/1512-163-0x000000006FFB0000-0x000000006FFFC000-memory.dmp

Filesize
304KB

Download
memory/1512-164-0x0000000006F40000-0x0000000006F5E000-memory.dmp

Filesize
120KB

Download
memory/1512-165-0x0000000008320000-0x000000000899A000-memory.dmp

Filesize
6.5MB

Download
memory/1512-166-0x0000000007CC0000-0x0000000007CDA000-memory.dmp

Filesize
104KB

Download
memory/1512-167-0x0000000007D10000-0x0000000007D1A000-memory.dmp

Filesize
40KB

Download
memory/1512-168-0x0000000007F40000-0x0000000007FD6000-memory.dmp

Filesize
600KB

Download
memory/1512-169-0x0000000007EF0000-0x0000000007EFE000-memory.dmp

Filesize
56KB

Download
memory/1512-171-0x0000000007F30000-0x0000000007F38000-memory.dmp

Filesize
32KB

Download
memory/1844-172-0x0000000000000000-mapping.dmp

Download
memory/1844-175-0x000000006FFB0000-0x000000006FFFC000-memory.dmp

Filesize
304KB

Download
memory/1988-208-0x0000000000000000-mapping.dmp

Download
memory/2236-202-0x0000000000000000-mapping.dmp

Download
memory/2248-192-0x0000000000000000-mapping.dmp

Download
memory/3148-198-0x0000000000000000-mapping.dmp

Download
memory/3180-206-0x0000000000000000-mapping.dmp

Download
memory/3204-197-0x0000000000000000-mapping.dmp

Download
memory/3272-200-0x0000000000000000-mapping.dmp

Download
memory/3304-155-0x0000000000000000-mapping.dmp

Download
memory/3372-190-0x0000000000000000-mapping.dmp

Download
memory/3464-211-0x0000000000000000-mapping.dmp

Download
memory/3476-188-0x0000000000000000-mapping.dmp

Download
memory/3480-187-0x0000000000000000-mapping.dmp

Download
memory/3700-199-0x0000000000000000-mapping.dmp

Download
memory/3724-189-0x0000000000000000-mapping.dmp

Download
memory/3756-186-0x0000000000000000-mapping.dmp

Download
memory/3796-191-0x0000000000000000-mapping.dmp

Download
memory/3884-194-0x0000000000000000-mapping.dmp

Download
memory/3896-184-0x0000000000000000-mapping.dmp

Download
memory/3912-209-0x0000000000000000-mapping.dmp

Download
memory/4108-154-0x0000000000000000-mapping.dmp

Download
memory/4196-201-0x0000000000000000-mapping.dmp

Download
memory/4320-196-0x0000000000000000-mapping.dmp

Download
memory/4460-203-0x0000000000000000-mapping.dmp

Download
memory/4856-185-0x0000000000000000-mapping.dmp

Download
memory/4864-183-0x0000000000000000-mapping.dmp

Download
memory/5084-204-0x0000000000000000-mapping.dmp

Download
memory/5128-212-0x0000000000000000-mapping.dmp

Download
memory/5148-220-0x000002A638820000-0x000002A638840000-memory.dmp

Filesize
128KB

Download
memory/5148-219-0x000002A638820000-0x000002A638840000-memory.dmp

Filesize
128KB

Download
memory/5148-218-0x000002A6387E0000-0x000002A638820000-memory.dmp

Filesize
256KB

Download
memory/5148-216-0x000002A636EF0000-0x000002A636F10000-memory.dmp

Filesize
128KB

Download
memory/5148-213-0x0000000000000000-mapping.dmp

Download
memory/100668-139-0x00000000054C0000-0x00000000054D2000-memory.dmp

Filesize
72KB

Download
memory/100668-138-0x0000000005A50000-0x0000000006068000-memory.dmp

Filesize
6.1MB

Download
memory/100668-141-0x0000000005520000-0x000000000555C000-memory.dmp

Filesize
240KB

Download
memory/100668-142-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/100668-145-0x00000000064D0000-0x0000000006546000-memory.dmp

Filesize
472KB

Download
memory/100668-140-0x00000000055F0000-0x00000000056FA000-memory.dmp

Filesize
1.0MB

Download
memory/100668-132-0x0000000000000000-mapping.dmp

Download
memory/100668-146-0x00000000065D0000-0x00000000065EE000-memory.dmp

Filesize
120KB

Download
memory/100668-144-0x0000000006430000-0x00000000064C2000-memory.dmp

Filesize
584KB

Download
memory/100668-143-0x0000000006920000-0x0000000006EC4000-memory.dmp

Filesize
5.6MB

Download
memory/100668-147-0x0000000007E50000-0x0000000008012000-memory.dmp

Filesize
1.8MB

Download
memory/100668-133-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/100668-148-0x0000000008550000-0x0000000008A7C000-memory.dmp

Filesize
5.2MB

Download
memory/101244-149-0x0000000000000000-mapping.dmp

Download
memory/101244-153-0x0000000005230000-0x000000000523A000-memory.dmp

Filesize
40KB

Download
memory/101244-152-0x0000000000A00000-0x0000000000A14000-memory.dmp

Filesize
80KB

Download