redline | e03979f58b33f0b40c8817f7c2a0106c4a6a51c0b9bd1b8de37435a3b65f0ae1

Analysis

max time kernel
151s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-09-2022 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

private valorant.exe
Size

2.6MB
MD5

4fe4971ca7dba89c1793b359cfbe8fd5
SHA1

2305e68738b5d6ce615d9386e7030c0120609428
SHA256

20178c4c0448a12445242ade89d2dd6973493c22ec545b45d69193fff0795dbd
SHA512

8da1b49237ccf820a11af103432f2c59f7c538735b54ce7f30cd8c4f3ed5f1f823e98691ff889b4a9088b77fdc65d9ea5afbc51d556f5eb53250a64750c442e5
SSDEEP

24576:Iz/1l1gz6B8BWccYvYhFMdeWQMyGdkYlHGTlNn7zVSYZJYvv9vOLyOkDPl3RuQ5C:6P1gu8BWvq8tEYZJYvv9vODkDPl30

Score

10^/10

redline xmrig infostealer miner persistence spyware stealer upx

Malware Config

Extracted

Family

redline

62.204.41.141:24758

Attributes

auth_value
6ecfe2239bb32c15669e8ad6e1fa793c

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/102652-133-0x0000000000400000-0x0000000000428000-memory.dmp	family_redline

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
C:\ProgramData\Dllhost\winlogson.exe	xmrig
C:\ProgramData\Dllhost\winlogson.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

MainModule.exestart.exedllhost.exewinlogson.exe

pid process

103332 MainModule.exe
2276 start.exe
3344 dllhost.exe
5256 winlogson.exe

pid	process
103332	MainModule.exe
2276	start.exe
3344	dllhost.exe
5256	winlogson.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
C:\Users\Admin\AppData\Local\Temp\start.exe	upx
behavioral2/memory/2276-157-0x00000000004E0000-0x00000000017A6000-memory.dmp	upx
behavioral2/memory/2276-180-0x00000000004E0000-0x00000000017A6000-memory.dmp	upx
behavioral2/memory/2276-218-0x00000000004E0000-0x00000000017A6000-memory.dmp	upx

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

dllhost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SecurityHealthSystray = "C:\\Windows\\System32\\SecurityHealthSystray.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cortana = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe\\Cortana.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftEdgeUpd = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OneDriveService = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe/file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NvStray = "C:\\Program Files\\WindowsApps\\Microsoft.x64__8wekyb3gfdfdgd8bbwe / file.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\ProgramData\\Dllhost\\dllhost.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsDefender = "C:\\Program Files\\Windows Defender\\MpCmdRun.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "C:\\Windows\\System32\\wbem\\WmiPrvSE.exe"	dllhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntiMalwareServiceExecutable = "C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\4.18.2111.5-0\\MsMpEng.exe"	dllhost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

private valorant.exe

description pid process target process

PID 1436 set thread context of 102652 1436 private valorant.exe AppLaunch.exe

description	pid	process	target process
PID 1436 set thread context of 102652	1436	private valorant.exe	AppLaunch.exe

Creates scheduled task(s) 1 TTPs 10 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2668	schtasks.exe
4492	schtasks.exe
372	schtasks.exe
3732	schtasks.exe
1368	schtasks.exe
3104	schtasks.exe
1960	schtasks.exe
2700	schtasks.exe
4760	schtasks.exe
4340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AppLaunch.exeMainModule.exepowershell.exepowershell.exepowershell.exedllhost.exepowershell.exe

pid	process
102652	AppLaunch.exe
102652	AppLaunch.exe
103332	MainModule.exe
1644	powershell.exe
1644	powershell.exe
4788	powershell.exe
4788	powershell.exe
4480	powershell.exe
4480	powershell.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
4332	powershell.exe
4332	powershell.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe
3344	dllhost.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

644

pid	process
644

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

AppLaunch.exeMainModule.exepowershell.exepowershell.exepowershell.exedllhost.exepowershell.exewinlogson.exe

description	pid	process
Token: SeDebugPrivilege	102652	AppLaunch.exe
Token: SeDebugPrivilege	103332	MainModule.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	4788	powershell.exe
Token: SeDebugPrivilege	4480	powershell.exe
Token: SeDebugPrivilege	3344	dllhost.exe
Token: SeDebugPrivilege	4332	powershell.exe
Token: SeLockMemoryPrivilege	5256	winlogson.exe
Token: SeLockMemoryPrivilege	5256	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid process

5256 winlogson.exe

pid	process
5256	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

private valorant.exeAppLaunch.exeMainModule.execmd.exedllhost.exe

description	pid	process	target process
PID 1436 wrote to memory of 102652	1436	private valorant.exe	AppLaunch.exe
PID 1436 wrote to memory of 102652	1436	private valorant.exe	AppLaunch.exe
PID 1436 wrote to memory of 102652	1436	private valorant.exe	AppLaunch.exe
PID 1436 wrote to memory of 102652	1436	private valorant.exe	AppLaunch.exe
PID 1436 wrote to memory of 102652	1436	private valorant.exe	AppLaunch.exe
PID 102652 wrote to memory of 103332	102652	AppLaunch.exe	MainModule.exe
PID 102652 wrote to memory of 103332	102652	AppLaunch.exe	MainModule.exe
PID 102652 wrote to memory of 103332	102652	AppLaunch.exe	MainModule.exe
PID 102652 wrote to memory of 2276	102652	AppLaunch.exe	start.exe
PID 102652 wrote to memory of 2276	102652	AppLaunch.exe	start.exe
PID 103332 wrote to memory of 4180	103332	MainModule.exe	cmd.exe
PID 103332 wrote to memory of 4180	103332	MainModule.exe	cmd.exe
PID 103332 wrote to memory of 4180	103332	MainModule.exe	cmd.exe
PID 4180 wrote to memory of 1076	4180	cmd.exe	chcp.com
PID 4180 wrote to memory of 1076	4180	cmd.exe	chcp.com
PID 4180 wrote to memory of 1076	4180	cmd.exe	chcp.com
PID 4180 wrote to memory of 1644	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 1644	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 1644	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 4788	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 4788	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 4788	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 4480	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 4480	4180	cmd.exe	powershell.exe
PID 4180 wrote to memory of 4480	4180	cmd.exe	powershell.exe
PID 103332 wrote to memory of 3344	103332	MainModule.exe	dllhost.exe
PID 103332 wrote to memory of 3344	103332	MainModule.exe	dllhost.exe
PID 103332 wrote to memory of 3344	103332	MainModule.exe	dllhost.exe
PID 3344 wrote to memory of 3380	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3380	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3380	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3640	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3640	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3640	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 616	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 616	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 616	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3616	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3616	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3616	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 4128	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 4128	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 4128	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3320	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3320	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3320	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 2288	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 2288	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 2288	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 4036	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 4036	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 4036	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3992	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3992	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3992	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 4508	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 4508	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 4508	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3408	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3408	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 3408	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 380	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 380	3344	dllhost.exe	cmd.exe
PID 3344 wrote to memory of 380	3344	dllhost.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\private valorant.exe
"C:\Users\Admin\AppData\Local\Temp\private valorant.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:102652

C:\Users\Admin\AppData\Local\Temp\MainModule.exe
"C:\Users\Admin\AppData\Local\Temp\MainModule.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:103332

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 1251 & powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost" & powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
4⤵
- Suspicious use of WriteProcessMemory
PID:4180

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:1076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "$ENV:USERPROFILE\Desktop"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\Dllhost"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4788

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData\SystemData"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\ProgramData\Dllhost\dllhost.exe
"C:\ProgramData\Dllhost\dllhost.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3344

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3380

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SecurityHealthSystray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4760

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3640

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefender" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3104

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:616

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WmiPrvSE" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4340

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4128

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3616

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareServiceExecutable" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:1960

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3320

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftEdgeUpd" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:2668

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:2288

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "OneDriveService" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:372

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3964" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3992

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "WindowsDefenderServices\WindowsDefenderServicesService_bk3964" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:1368

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4036

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "NvStray" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:4492

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "AntiMalwareSericeExecutable\AntiMalwareSericeExecutableService_bk7415" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:4508

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6652" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:3408

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "MicrosoftUpdateServices\MicrosoftUpdateServicesService_bk6652" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:2700

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9317" /TR "C:\ProgramData\Dllhost\dllhost.exe"
5⤵
PID:380

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /CREATE /SC HOURLY /TN "SettingSysHost\SettingSysHostService_bk9317" /TR "C:\ProgramData\Dllhost\dllhost.exe"
6⤵
- Creates scheduled task(s)
PID:3732

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:728

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:4908

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
5⤵
PID:5180

C:\Windows\SysWOW64\chcp.com
chcp 1251
6⤵
PID:5236

C:\ProgramData\Dllhost\winlogson.exe
C:\ProgramData\Dllhost\winlogson.exe -c config.json
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5256

C:\Users\Admin\AppData\Local\Temp\start.exe
"C:\Users\Admin\AppData\Local\Temp\start.exe"
3⤵
- Executes dropped EXE
PID:2276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "Get-WmiObject Win32_PortConnector"
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
55c37445d312c77f534f4797f1034248

SHA1
06ca76148e27fed0db2328a52538f261265ad311

SHA256
8783d5a7a4510df0798adf05fc09b2ebf65c9966f34425ba8642e1c843d2d050

SHA512
c620d684ecac2f5a2ed37442de00e4b50f30cf2d132ad940b7091e96c033e47fd3d5ad93f7a3a00289fc4f5c381fbec510541170a3341db8e88425a8d6eb4f34

Download Submit
C:\ProgramData\Dllhost\dllhost.exe
Filesize
80KB

MD5
55c37445d312c77f534f4797f1034248

SHA1
06ca76148e27fed0db2328a52538f261265ad311

SHA256
8783d5a7a4510df0798adf05fc09b2ebf65c9966f34425ba8642e1c843d2d050

SHA512
c620d684ecac2f5a2ed37442de00e4b50f30cf2d132ad940b7091e96c033e47fd3d5ad93f7a3a00289fc4f5c381fbec510541170a3341db8e88425a8d6eb4f34

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\Dllhost\winlogson.exe
Filesize
5.1MB

MD5
2a0d26b8b02bb2d17994d2a9a38d61db

SHA1
889a9cb0a044c1f675e63ea6ea065a8cf914e2ab

SHA256
3c54646213638e7bd8d0538c28e414824f5eaf31faf19a40eec608179b1074f1

SHA512
07245fb329b5fc9b68e1e88a52b7ab464bafd45442193e4b61cf6788ec0e10cdec2cfa2f59f49fe4a3f8a78a205d62ec0701a3b82a5e8f4257016821fee524ee

Download Submit
C:\ProgramData\SystemFiles\config.json
Filesize
309B

MD5
c0aeb1145af5a17a7cbaca85fcb7dcaf

SHA1
cbe5614df4ef98ea402d82e7c2cd9e1a5d5c1c13

SHA256
98c7da9871a8aecede542ebbad398a65b7b46b9356dc0354c3d7c70be7b9a5dc

SHA512
2d7ed7c953d32eba0a089be0303fadf4096124d40ecf175c9296f272ec21ff3a212a22e1d7fad530e0ae2b9a4575defbc9b10e1da24cdcdda7899ec1d7c027c4

Download Submit
C:\ProgramData\SystemFiles\sys_rh.bin
Filesize
1KB

MD5
b555c3646387dfb63d731d105d489ee5

SHA1
96c19c4871de6e7f3c89c6ae5353193ce72677af

SHA256
3b3a3c5b6f45dccaacaab7c50a3ecc5bdf440c9c99240108ebdb5dd46a4c7447

SHA512
0547ef1c1436b66feaeeb80fc36d215ad34ad6cd23a061336db4cb91607e43ae8cd1452a1fa11709e9bdf061daaae3fa40c6a1644e6374c67c89926ca3309a47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
4499a124fcbb2d7fc1d93ebda5099cb1

SHA1
26274930e14e28cad5f359c57ef09bbfb05af658

SHA256
a6e4db17d1d9c1f741d304b75f331827892ba3f0c08f4d3546329db732b68b65

SHA512
77ae57046be55c7d89d379a8931b29007ab5bc7d05c575896b50486cae7aaf56f1ff3eb7a7e4061623aed65406dcd8870544faf401371e7c24536c206b623b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
c369083be36c067809edaa38ada0fd69

SHA1
b4c5475d3000fd800fbbcbe27145adb4abc909bb

SHA256
6fe204ba1ba1f821a72039c78beca8631887ab42370d036c00c2efc8b2b2ed1c

SHA512
c171450eb79805b4716cdfcfacb97230358693d95863daf728a804f6bf1b504dbca638e1e7722642f20acd6af23efc43a1dc64e309125636f1eebb9fc0ca981d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
1a19d752c5fbaad1a4ae6bc27e26da39

SHA1
302135220433cbffb052b3510e6923b55af518c2

SHA256
6d6f395c30050b18c26ad75daca94e5f8eb56dc60ea86a935912070dcdf054a9

SHA512
348b945c3f9635a28dd570110f70b7ea538320ff6dd71f0454b7db3e49103bd144fe4e85b943a3d60205755d15f3ece22547c1410db0bed7bcd3a34be3ccf825

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainModule.exe
Filesize
72KB

MD5
077d5c3447d5e03cd4ad1bb68033ec03

SHA1
290b6cce8788511265be31c2fbe4739fe9fc2132

SHA256
78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c

SHA512
4efad46544565ac336594a8c14add1657ad202afe225e50afb566e8922d0d356ff60e1b0e2061ffd6ec238c1657ded38428294e0886ec7feb9231e84228cf1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainModule.exe
Filesize
72KB

MD5
077d5c3447d5e03cd4ad1bb68033ec03

SHA1
290b6cce8788511265be31c2fbe4739fe9fc2132

SHA256
78e3ff8a08208d3b5c7f7b8397fdfa4ede7ce0717546167b3d5635074922fd4c

SHA512
4efad46544565ac336594a8c14add1657ad202afe225e50afb566e8922d0d356ff60e1b0e2061ffd6ec238c1657ded38428294e0886ec7feb9231e84228cf1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe
Filesize
5.1MB

MD5
3e2922711ccfb0d4c63bc2e1ac3962cb

SHA1
c0080d77f23d9ba6aea56bf808e7047564ddff51

SHA256
6e4581639b79846f73463632b751fbfb6568b3f3d12d14e1cf9a9f4f818d7a56

SHA512
47de0b4c5a20aeb8a777f1dc8f7c3fa9264d472d229727c97a12d77ac06f99000f830c73f261d3ad529e91ef9b4dcf944263292f4e69084cd0cd66826091d8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\start.exe
Filesize
5.1MB

MD5
3e2922711ccfb0d4c63bc2e1ac3962cb

SHA1
c0080d77f23d9ba6aea56bf808e7047564ddff51

SHA256
6e4581639b79846f73463632b751fbfb6568b3f3d12d14e1cf9a9f4f818d7a56

SHA512
47de0b4c5a20aeb8a777f1dc8f7c3fa9264d472d229727c97a12d77ac06f99000f830c73f261d3ad529e91ef9b4dcf944263292f4e69084cd0cd66826091d8f4

Download Submit
memory/372-207-0x0000000000000000-mapping.dmp

Download
memory/380-199-0x0000000000000000-mapping.dmp

Download
memory/616-189-0x0000000000000000-mapping.dmp

Download
memory/728-211-0x0000000000000000-mapping.dmp

Download
memory/1076-159-0x0000000000000000-mapping.dmp

Download
memory/1368-200-0x0000000000000000-mapping.dmp

Download
memory/1644-166-0x00000000060E0000-0x0000000006112000-memory.dmp

Filesize
200KB

Download
memory/1644-167-0x000000006DF10000-0x000000006DF5C000-memory.dmp

Filesize
304KB

Download
memory/1644-175-0x00000000070B0000-0x00000000070B8000-memory.dmp

Filesize
32KB

Download
memory/1644-174-0x0000000007170000-0x000000000718A000-memory.dmp

Filesize
104KB

Download
memory/1644-160-0x0000000000000000-mapping.dmp

Download
memory/1644-161-0x00000000021F0000-0x0000000002226000-memory.dmp

Filesize
216KB

Download
memory/1644-162-0x0000000004E60000-0x0000000005488000-memory.dmp

Filesize
6.2MB

Download
memory/1644-163-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/1644-164-0x0000000005490000-0x00000000054F6000-memory.dmp

Filesize
408KB

Download
memory/1644-165-0x0000000005B20000-0x0000000005B3E000-memory.dmp

Filesize
120KB

Download
memory/1644-173-0x0000000007070000-0x000000000707E000-memory.dmp

Filesize
56KB

Download
memory/1644-172-0x00000000070D0000-0x0000000007166000-memory.dmp

Filesize
600KB

Download
memory/1644-168-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/1644-169-0x00000000074B0000-0x0000000007B2A000-memory.dmp

Filesize
6.5MB

Download
memory/1644-170-0x0000000006E50000-0x0000000006E6A000-memory.dmp

Filesize
104KB

Download
memory/1644-171-0x0000000006EA0000-0x0000000006EAA000-memory.dmp

Filesize
40KB

Download
memory/1960-206-0x0000000000000000-mapping.dmp

Download
memory/2276-154-0x0000000000000000-mapping.dmp

Download
memory/2276-180-0x00000000004E0000-0x00000000017A6000-memory.dmp

Filesize
18.8MB

Download
memory/2276-157-0x00000000004E0000-0x00000000017A6000-memory.dmp

Filesize
18.8MB

Download
memory/2276-218-0x00000000004E0000-0x00000000017A6000-memory.dmp

Filesize
18.8MB

Download
memory/2288-193-0x0000000000000000-mapping.dmp

Download
memory/2668-203-0x0000000000000000-mapping.dmp

Download
memory/2700-208-0x0000000000000000-mapping.dmp

Download
memory/3104-201-0x0000000000000000-mapping.dmp

Download
memory/3320-192-0x0000000000000000-mapping.dmp

Download
memory/3344-183-0x0000000000000000-mapping.dmp

Download
memory/3344-186-0x0000000000080000-0x000000000009A000-memory.dmp

Filesize
104KB

Download
memory/3380-187-0x0000000000000000-mapping.dmp

Download
memory/3408-198-0x0000000000000000-mapping.dmp

Download
memory/3616-190-0x0000000000000000-mapping.dmp

Download
memory/3640-188-0x0000000000000000-mapping.dmp

Download
memory/3732-209-0x0000000000000000-mapping.dmp

Download
memory/3992-195-0x0000000000000000-mapping.dmp

Download
memory/4036-194-0x0000000000000000-mapping.dmp

Download
memory/4128-191-0x0000000000000000-mapping.dmp

Download
memory/4180-158-0x0000000000000000-mapping.dmp

Download
memory/4332-216-0x00007FFDDF5A0000-0x00007FFDE0061000-memory.dmp

Filesize
10.8MB

Download
memory/4332-214-0x00000275FF590000-0x00000275FF5B2000-memory.dmp

Filesize
136KB

Download
memory/4332-213-0x0000000000000000-mapping.dmp

Download
memory/4332-217-0x00007FFDDF5A0000-0x00007FFDE0061000-memory.dmp

Filesize
10.8MB

Download
memory/4340-205-0x0000000000000000-mapping.dmp

Download
memory/4480-197-0x000000006DF10000-0x000000006DF5C000-memory.dmp

Filesize
304KB

Download
memory/4480-181-0x0000000000000000-mapping.dmp

Download
memory/4492-204-0x0000000000000000-mapping.dmp

Download
memory/4508-196-0x0000000000000000-mapping.dmp

Download
memory/4760-202-0x0000000000000000-mapping.dmp

Download
memory/4788-179-0x000000006DF10000-0x000000006DF5C000-memory.dmp

Filesize
304KB

Download
memory/4788-176-0x0000000000000000-mapping.dmp

Download
memory/4908-212-0x0000000000000000-mapping.dmp

Download
memory/5180-219-0x0000000000000000-mapping.dmp

Download
memory/5236-220-0x0000000000000000-mapping.dmp

Download
memory/5256-224-0x00000222DAF10000-0x00000222DAF30000-memory.dmp

Filesize
128KB

Download
memory/5256-226-0x00000222DC8E0000-0x00000222DC900000-memory.dmp

Filesize
128KB

Download
memory/5256-221-0x0000000000000000-mapping.dmp

Download
memory/5256-227-0x00000222DC900000-0x00000222DC920000-memory.dmp

Filesize
128KB

Download
memory/5256-228-0x00000222DC900000-0x00000222DC920000-memory.dmp

Filesize
128KB

Download
memory/102652-143-0x0000000008780000-0x0000000008812000-memory.dmp

Filesize
584KB

Download
memory/102652-138-0x0000000006290000-0x00000000068A8000-memory.dmp

Filesize
6.1MB

Download
memory/102652-141-0x0000000007D70000-0x0000000007DAC000-memory.dmp

Filesize
240KB

Download
memory/102652-132-0x0000000000000000-mapping.dmp

Download
memory/102652-148-0x0000000009400000-0x0000000009450000-memory.dmp

Filesize
320KB

Download
memory/102652-140-0x0000000007C80000-0x0000000007C92000-memory.dmp

Filesize
72KB

Download
memory/102652-144-0x0000000008820000-0x0000000008886000-memory.dmp

Filesize
408KB

Download
memory/102652-145-0x0000000009BF0000-0x0000000009DB2000-memory.dmp

Filesize
1.8MB

Download
memory/102652-146-0x000000000A2F0000-0x000000000A81C000-memory.dmp

Filesize
5.2MB

Download
memory/102652-139-0x00000000068B0000-0x00000000069BA000-memory.dmp

Filesize
1.0MB

Download
memory/102652-142-0x0000000008C50000-0x00000000091F4000-memory.dmp

Filesize
5.6MB

Download
memory/102652-147-0x0000000009380000-0x00000000093F6000-memory.dmp

Filesize
472KB

Download
memory/102652-133-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/103332-153-0x0000000009F00000-0x0000000009F0A000-memory.dmp

Filesize
40KB

Download
memory/103332-149-0x0000000000000000-mapping.dmp

Download
memory/103332-152-0x0000000000190000-0x00000000001A8000-memory.dmp

Filesize
96KB

Download