aurora | af8ea2ae4917c68825f1c60f3900634cc7c2d3d2de079215f1aacf116841418c

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
27-01-2023 04:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deflated-gimp-2.10.32.-setup-1.exe
Size

217KB
MD5

009d70132e15d6f0bf593da170f0b7b0
SHA1

5a1bd8f31059de4e46778510fffd23c87bc32740
SHA256

af8ea2ae4917c68825f1c60f3900634cc7c2d3d2de079215f1aacf116841418c
SHA512

5192b9c860b4e10a329b181f4419cd7443f602ec9174d9c538e0843d10e59e4472df0e1b2a6572d96f89ad061eb1f6ea6240c8dd11d860664f93500dbee4824d
SSDEEP

3072:uI71VdaROKutNI6mKR0QHTT1Xm4B1jj0hhih3GD2xvwN64u/KKR7:uInda0KuksNzB1jjAoGD2lww4V

Score

10^/10

aurora redline redline discovery infostealer persistence spyware stealer

Malware Config

Extracted

Family

redline

Botnet

redline

79.137.133.225:25999

Attributes

auth_value
38284dbf15da9b4a9eaee0ef0d2b343f

Extracted

Family

aurora

79.137.133.225:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Executes dropped EXE 9 IoCs

Processes:

tmp79B9.tmp.exetmp79C9.tmp.exetmp79F9.tmp.exetmp7A1A.tmp.exetmp79F9.tmp.exetmp79B9.tmp.exetmp79B9.tmp.exetmp79C9.tmp.exetmp7A1A.tmp.exe

pid	process
2404	tmp79B9.tmp.exe
3260	tmp79C9.tmp.exe
228	tmp79F9.tmp.exe
816	tmp7A1A.tmp.exe
2156	tmp79F9.tmp.exe
1560	tmp79B9.tmp.exe
4592	tmp79B9.tmp.exe
332	tmp79C9.tmp.exe
2220	tmp7A1A.tmp.exe

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp79F9.tmp.exedeflated-gimp-2.10.32.-setup-1.exetmp79B9.tmp.exetmp79C9.tmp.exetmp79F9.tmp.exetmp7A1A.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp79F9.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	deflated-gimp-2.10.32.-setup-1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp79B9.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp79C9.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp79F9.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation	tmp7A1A.tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp7A1A.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gzltzqrlzsv = "\"C:\\Users\\Admin\\AppData\\Roaming\\Quhaolav\\Gzltzqrlzsv.exe\""	tmp7A1A.tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 4 IoCs

Processes:

tmp79F9.tmp.exetmp79B9.tmp.exetmp79C9.tmp.exetmp7A1A.tmp.exe

description	pid	process	target process
PID 228 set thread context of 2156	228	tmp79F9.tmp.exe	tmp79F9.tmp.exe
PID 2404 set thread context of 4592	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 3260 set thread context of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 816 set thread context of 2220	816	tmp7A1A.tmp.exe	tmp7A1A.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exetmp79B9.tmp.exetmp79B9.tmp.exetmp79F9.tmp.exepowershell.exe

pid	process
3656	powershell.exe
3516	powershell.exe
2552	powershell.exe
3656	powershell.exe
2552	powershell.exe
3516	powershell.exe
2680	powershell.exe
2680	powershell.exe
2680	powershell.exe
2404	tmp79B9.tmp.exe
2404	tmp79B9.tmp.exe
4592	tmp79B9.tmp.exe
4592	tmp79B9.tmp.exe
2156	tmp79F9.tmp.exe
2156	tmp79F9.tmp.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe
3984	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

deflated-gimp-2.10.32.-setup-1.exetmp79B9.tmp.exetmp79C9.tmp.exetmp7A1A.tmp.exepowershell.exepowershell.exepowershell.exepowershell.exetmp79F9.tmp.exetmp79F9.tmp.exetmp7A1A.tmp.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	2480	deflated-gimp-2.10.32.-setup-1.exe
Token: SeDebugPrivilege	2404	tmp79B9.tmp.exe
Token: SeDebugPrivilege	3260	tmp79C9.tmp.exe
Token: SeDebugPrivilege	816	tmp7A1A.tmp.exe
Token: SeDebugPrivilege	3656	powershell.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	228	tmp79F9.tmp.exe
Token: SeDebugPrivilege	2156	tmp79F9.tmp.exe
Token: SeDebugPrivilege	2220	tmp7A1A.tmp.exe
Token: SeIncreaseQuotaPrivilege	1912	wmic.exe
Token: SeSecurityPrivilege	1912	wmic.exe
Token: SeTakeOwnershipPrivilege	1912	wmic.exe
Token: SeLoadDriverPrivilege	1912	wmic.exe
Token: SeSystemProfilePrivilege	1912	wmic.exe
Token: SeSystemtimePrivilege	1912	wmic.exe
Token: SeProfSingleProcessPrivilege	1912	wmic.exe
Token: SeIncBasePriorityPrivilege	1912	wmic.exe
Token: SeCreatePagefilePrivilege	1912	wmic.exe
Token: SeBackupPrivilege	1912	wmic.exe
Token: SeRestorePrivilege	1912	wmic.exe
Token: SeShutdownPrivilege	1912	wmic.exe
Token: SeDebugPrivilege	1912	wmic.exe
Token: SeSystemEnvironmentPrivilege	1912	wmic.exe
Token: SeRemoteShutdownPrivilege	1912	wmic.exe
Token: SeUndockPrivilege	1912	wmic.exe
Token: SeManageVolumePrivilege	1912	wmic.exe
Token: 33	1912	wmic.exe
Token: 34	1912	wmic.exe
Token: 35	1912	wmic.exe
Token: 36	1912	wmic.exe
Token: SeIncreaseQuotaPrivilege	1912	wmic.exe
Token: SeSecurityPrivilege	1912	wmic.exe
Token: SeTakeOwnershipPrivilege	1912	wmic.exe
Token: SeLoadDriverPrivilege	1912	wmic.exe
Token: SeSystemProfilePrivilege	1912	wmic.exe
Token: SeSystemtimePrivilege	1912	wmic.exe
Token: SeProfSingleProcessPrivilege	1912	wmic.exe
Token: SeIncBasePriorityPrivilege	1912	wmic.exe
Token: SeCreatePagefilePrivilege	1912	wmic.exe
Token: SeBackupPrivilege	1912	wmic.exe
Token: SeRestorePrivilege	1912	wmic.exe
Token: SeShutdownPrivilege	1912	wmic.exe
Token: SeDebugPrivilege	1912	wmic.exe
Token: SeSystemEnvironmentPrivilege	1912	wmic.exe
Token: SeRemoteShutdownPrivilege	1912	wmic.exe
Token: SeUndockPrivilege	1912	wmic.exe
Token: SeManageVolumePrivilege	1912	wmic.exe
Token: 33	1912	wmic.exe
Token: 34	1912	wmic.exe
Token: 35	1912	wmic.exe
Token: 36	1912	wmic.exe
Token: SeIncreaseQuotaPrivilege	4972	WMIC.exe
Token: SeSecurityPrivilege	4972	WMIC.exe
Token: SeTakeOwnershipPrivilege	4972	WMIC.exe
Token: SeLoadDriverPrivilege	4972	WMIC.exe
Token: SeSystemProfilePrivilege	4972	WMIC.exe
Token: SeSystemtimePrivilege	4972	WMIC.exe
Token: SeProfSingleProcessPrivilege	4972	WMIC.exe
Token: SeIncBasePriorityPrivilege	4972	WMIC.exe
Token: SeCreatePagefilePrivilege	4972	WMIC.exe
Token: SeBackupPrivilege	4972	WMIC.exe
Token: SeRestorePrivilege	4972	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

deflated-gimp-2.10.32.-setup-1.exetmp79B9.tmp.exetmp79C9.tmp.exetmp79F9.tmp.exetmp7A1A.tmp.exetmp79C9.tmp.exe

description	pid	process	target process
PID 2480 wrote to memory of 2404	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp79B9.tmp.exe
PID 2480 wrote to memory of 2404	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp79B9.tmp.exe
PID 2480 wrote to memory of 2404	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp79B9.tmp.exe
PID 2480 wrote to memory of 3260	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp79C9.tmp.exe
PID 2480 wrote to memory of 3260	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp79C9.tmp.exe
PID 2480 wrote to memory of 3260	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp79C9.tmp.exe
PID 2480 wrote to memory of 228	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp79F9.tmp.exe
PID 2480 wrote to memory of 228	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp79F9.tmp.exe
PID 2480 wrote to memory of 816	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp7A1A.tmp.exe
PID 2480 wrote to memory of 816	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp7A1A.tmp.exe
PID 2480 wrote to memory of 816	2480	deflated-gimp-2.10.32.-setup-1.exe	tmp7A1A.tmp.exe
PID 2404 wrote to memory of 3516	2404	tmp79B9.tmp.exe	powershell.exe
PID 2404 wrote to memory of 3516	2404	tmp79B9.tmp.exe	powershell.exe
PID 2404 wrote to memory of 3516	2404	tmp79B9.tmp.exe	powershell.exe
PID 3260 wrote to memory of 3656	3260	tmp79C9.tmp.exe	powershell.exe
PID 3260 wrote to memory of 3656	3260	tmp79C9.tmp.exe	powershell.exe
PID 3260 wrote to memory of 3656	3260	tmp79C9.tmp.exe	powershell.exe
PID 228 wrote to memory of 2552	228	tmp79F9.tmp.exe	powershell.exe
PID 228 wrote to memory of 2552	228	tmp79F9.tmp.exe	powershell.exe
PID 816 wrote to memory of 2680	816	tmp7A1A.tmp.exe	powershell.exe
PID 816 wrote to memory of 2680	816	tmp7A1A.tmp.exe	powershell.exe
PID 816 wrote to memory of 2680	816	tmp7A1A.tmp.exe	powershell.exe
PID 228 wrote to memory of 2156	228	tmp79F9.tmp.exe	tmp79F9.tmp.exe
PID 228 wrote to memory of 2156	228	tmp79F9.tmp.exe	tmp79F9.tmp.exe
PID 228 wrote to memory of 2156	228	tmp79F9.tmp.exe	tmp79F9.tmp.exe
PID 228 wrote to memory of 2156	228	tmp79F9.tmp.exe	tmp79F9.tmp.exe
PID 228 wrote to memory of 2156	228	tmp79F9.tmp.exe	tmp79F9.tmp.exe
PID 228 wrote to memory of 2156	228	tmp79F9.tmp.exe	tmp79F9.tmp.exe
PID 2404 wrote to memory of 1560	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 2404 wrote to memory of 1560	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 2404 wrote to memory of 1560	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 2404 wrote to memory of 4592	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 2404 wrote to memory of 4592	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 2404 wrote to memory of 4592	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 2404 wrote to memory of 4592	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 2404 wrote to memory of 4592	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 2404 wrote to memory of 4592	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 2404 wrote to memory of 4592	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 2404 wrote to memory of 4592	2404	tmp79B9.tmp.exe	tmp79B9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 3260 wrote to memory of 332	3260	tmp79C9.tmp.exe	tmp79C9.tmp.exe
PID 816 wrote to memory of 2220	816	tmp7A1A.tmp.exe	tmp7A1A.tmp.exe
PID 816 wrote to memory of 2220	816	tmp7A1A.tmp.exe	tmp7A1A.tmp.exe
PID 816 wrote to memory of 2220	816	tmp7A1A.tmp.exe	tmp7A1A.tmp.exe
PID 816 wrote to memory of 2220	816	tmp7A1A.tmp.exe	tmp7A1A.tmp.exe
PID 816 wrote to memory of 2220	816	tmp7A1A.tmp.exe	tmp7A1A.tmp.exe
PID 816 wrote to memory of 2220	816	tmp7A1A.tmp.exe	tmp7A1A.tmp.exe
PID 816 wrote to memory of 2220	816	tmp7A1A.tmp.exe	tmp7A1A.tmp.exe
PID 816 wrote to memory of 2220	816	tmp7A1A.tmp.exe	tmp7A1A.tmp.exe
PID 332 wrote to memory of 1912	332	tmp79C9.tmp.exe	wmic.exe
PID 332 wrote to memory of 1912	332	tmp79C9.tmp.exe	wmic.exe
PID 332 wrote to memory of 1912	332	tmp79C9.tmp.exe	wmic.exe
PID 332 wrote to memory of 1740	332	tmp79C9.tmp.exe	cmd.exe
PID 332 wrote to memory of 1740	332	tmp79C9.tmp.exe	cmd.exe
PID 332 wrote to memory of 1740	332	tmp79C9.tmp.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\deflated-gimp-2.10.32.-setup-1.exe
"C:\Users\Admin\AppData\Local\Temp\deflated-gimp-2.10.32.-setup-1.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480

C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.exe
3⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4592

C:\Users\Admin\AppData\Local\Temp\tmp79C9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp79C9.tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Users\Admin\AppData\Local\Temp\tmp79C9.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp79C9.tmp.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
4⤵
PID:1740

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
4⤵
PID:4212

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
5⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\tmp79F9.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp79F9.tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Users\Admin\AppData\Local\Temp\tmp79F9.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp79F9.tmp.exe
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2156

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -Seconds 5; Stop-Process 2156 -Force; Start-Sleep -Seconds 2; Remove-Item "C:\Users\Admin\AppData\Local\Temp\tmp79F9.tmp.exe" -Force
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Users\Admin\AppData\Local\Temp\tmp7A1A.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp7A1A.tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Users\Admin\AppData\Local\Temp\tmp7A1A.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp7A1A.tmp.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\tmp79F9.tmp.exe.log
Filesize
1KB

MD5
28c1385a03d094835519f02b128b261f

SHA1
a88234aae78227bea962ca77216f997a9dce519b

SHA256
42891bd895f281b623c6e7c73ee7567871789d8f6c66965a5b04a46c85dd3180

SHA512
5105b3053337ce17b6da74ab0f1b3695601270bb556877564d7dede12d653d81909c6ff0f8332d1646afa85085732094fea08017e1bd22e7e2db3790563c5623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp79B9.tmp.exe.log
Filesize
1KB

MD5
2bea5ace75c1c406471930d05acf41f1

SHA1
fb20b843c1bf0340d17793752b9bca1e2e0333ba

SHA256
56036effd69e1a8cf8f77bb8acfee51f312865979e734638a2ad8f089d078d73

SHA512
86a8af16f5ff8436418bddb4ff59211c770353416ef262bad0a36b2b5afa1ab766c63fd93a5d02c323c0504e10bbff43d5ff6cadc01739f64e135a6a9b388b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
6640762988b7876166932ddeadd120ec

SHA1
d62bed222617ec67fb9ae462b75410307e36d69e

SHA256
5396acbab02f562fb886705e1d0aed39f5f0cc5d5ccacbd46efa6ae102e117d1

SHA512
92e086bff92f2a77b952b0ee3b63a54b9a26248e6abe2c1e3f4b9c02ef3656fde74ee8d8329c446fd97c6d19a9ee96403aad04dd6db913e68151e6f9a0467730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
8ea140183793f4a6e62ef94b93987db8

SHA1
fc52aec0de3d342327d91278109ddf1ea4e132c4

SHA256
d11e557af78de9c967367ea6dbcecde7d702c6cd112f99e5d05a298b4b802459

SHA512
82b451179fe3b1e2d9f71b7c7c9e7bd756ce3019ffa79eb8f969c6bc76da12cf36e093d28ea74c5ab85bf793d8ca53205af52b495970ebfa4b65a0b3ef78eedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
8ea140183793f4a6e62ef94b93987db8

SHA1
fc52aec0de3d342327d91278109ddf1ea4e132c4

SHA256
d11e557af78de9c967367ea6dbcecde7d702c6cd112f99e5d05a298b4b802459

SHA512
82b451179fe3b1e2d9f71b7c7c9e7bd756ce3019ffa79eb8f969c6bc76da12cf36e093d28ea74c5ab85bf793d8ca53205af52b495970ebfa4b65a0b3ef78eedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.exe
Filesize
2.3MB

MD5
1d85c4d35f557fbbde158258300b753f

SHA1
1a0f596ee4f5abdb3dc3bad8a1247625fce982ea

SHA256
36ccb94aa071489c4f03b72cd09c2560e40d66e541e006b5f6ca1b6e84ef2e1a

SHA512
09aa7748f392dd2104672e4f774d717298659bb6df21db51de8455e01dba0ee0d5761ecf7cf5bd24eaae80943b91ed4ab189d1e1a0df9621636bb33a2e2cdd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.exe
Filesize
2.3MB

MD5
1d85c4d35f557fbbde158258300b753f

SHA1
1a0f596ee4f5abdb3dc3bad8a1247625fce982ea

SHA256
36ccb94aa071489c4f03b72cd09c2560e40d66e541e006b5f6ca1b6e84ef2e1a

SHA512
09aa7748f392dd2104672e4f774d717298659bb6df21db51de8455e01dba0ee0d5761ecf7cf5bd24eaae80943b91ed4ab189d1e1a0df9621636bb33a2e2cdd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.exe
Filesize
2.3MB

MD5
1d85c4d35f557fbbde158258300b753f

SHA1
1a0f596ee4f5abdb3dc3bad8a1247625fce982ea

SHA256
36ccb94aa071489c4f03b72cd09c2560e40d66e541e006b5f6ca1b6e84ef2e1a

SHA512
09aa7748f392dd2104672e4f774d717298659bb6df21db51de8455e01dba0ee0d5761ecf7cf5bd24eaae80943b91ed4ab189d1e1a0df9621636bb33a2e2cdd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79B9.tmp.exe
Filesize
2.3MB

MD5
1d85c4d35f557fbbde158258300b753f

SHA1
1a0f596ee4f5abdb3dc3bad8a1247625fce982ea

SHA256
36ccb94aa071489c4f03b72cd09c2560e40d66e541e006b5f6ca1b6e84ef2e1a

SHA512
09aa7748f392dd2104672e4f774d717298659bb6df21db51de8455e01dba0ee0d5761ecf7cf5bd24eaae80943b91ed4ab189d1e1a0df9621636bb33a2e2cdd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79C9.tmp.exe
Filesize
4.0MB

MD5
58f86d3f8a1f981a7c7bf541c3bc787b

SHA1
a6b43c84c1b79551b39fc7c589deec969de84227

SHA256
5ec2cb39e7538c4c2eaedcd2c2ce1ea79665260e14ff5b6579e33829c06c0235

SHA512
88dd8807bbc2ad6f93eacc729489d4a859edf310becfafb788c69de80b716780dde739604d53656be8cbec160c940392d24344d2737ff9d25e064f29989b7719

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79C9.tmp.exe
Filesize
4.0MB

MD5
58f86d3f8a1f981a7c7bf541c3bc787b

SHA1
a6b43c84c1b79551b39fc7c589deec969de84227

SHA256
5ec2cb39e7538c4c2eaedcd2c2ce1ea79665260e14ff5b6579e33829c06c0235

SHA512
88dd8807bbc2ad6f93eacc729489d4a859edf310becfafb788c69de80b716780dde739604d53656be8cbec160c940392d24344d2737ff9d25e064f29989b7719

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79C9.tmp.exe
Filesize
4.0MB

MD5
58f86d3f8a1f981a7c7bf541c3bc787b

SHA1
a6b43c84c1b79551b39fc7c589deec969de84227

SHA256
5ec2cb39e7538c4c2eaedcd2c2ce1ea79665260e14ff5b6579e33829c06c0235

SHA512
88dd8807bbc2ad6f93eacc729489d4a859edf310becfafb788c69de80b716780dde739604d53656be8cbec160c940392d24344d2737ff9d25e064f29989b7719

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79F9.tmp.exe
Filesize
2.8MB

MD5
dd3be814f985b521299022ac5b69f8f1

SHA1
f7be9ac89ea6632004c8251e3f814cd21ec481a8

SHA256
83533cb6a1439e6abdad6ed5f64ebfcf0768309ebacaeee2bdd86d9fd6fc5bc6

SHA512
964a09e433dbc59764c78356304c59cb6533afe621a426ba6565888de6ac77c4f48ead61e11ae4b48ac8497eda13122819b08f4a8126bdb86ed727addaf9b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79F9.tmp.exe
Filesize
2.8MB

MD5
dd3be814f985b521299022ac5b69f8f1

SHA1
f7be9ac89ea6632004c8251e3f814cd21ec481a8

SHA256
83533cb6a1439e6abdad6ed5f64ebfcf0768309ebacaeee2bdd86d9fd6fc5bc6

SHA512
964a09e433dbc59764c78356304c59cb6533afe621a426ba6565888de6ac77c4f48ead61e11ae4b48ac8497eda13122819b08f4a8126bdb86ed727addaf9b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp79F9.tmp.exe
Filesize
2.8MB

MD5
dd3be814f985b521299022ac5b69f8f1

SHA1
f7be9ac89ea6632004c8251e3f814cd21ec481a8

SHA256
83533cb6a1439e6abdad6ed5f64ebfcf0768309ebacaeee2bdd86d9fd6fc5bc6

SHA512
964a09e433dbc59764c78356304c59cb6533afe621a426ba6565888de6ac77c4f48ead61e11ae4b48ac8497eda13122819b08f4a8126bdb86ed727addaf9b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A1A.tmp.exe
Filesize
2.7MB

MD5
e0a5c7191e00ea683c4e73b1c80b8823

SHA1
8349e708101ba87a868fcf7cb4d00b91f1620ff6

SHA256
95dd221630d172703a90842a31b0e25a97f98c236e7a4cc09e5dc5862d8d0370

SHA512
1f2c10f8205952f613f406d7ea1c4d4bcdf6c71286ca4db859e3a131b4ee30af86f0e35cbcd58e3cd2d8f05a7e4a5be4dede910980b0afbfc44b7fea4d9224fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A1A.tmp.exe
Filesize
2.7MB

MD5
e0a5c7191e00ea683c4e73b1c80b8823

SHA1
8349e708101ba87a868fcf7cb4d00b91f1620ff6

SHA256
95dd221630d172703a90842a31b0e25a97f98c236e7a4cc09e5dc5862d8d0370

SHA512
1f2c10f8205952f613f406d7ea1c4d4bcdf6c71286ca4db859e3a131b4ee30af86f0e35cbcd58e3cd2d8f05a7e4a5be4dede910980b0afbfc44b7fea4d9224fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7A1A.tmp.exe
Filesize
2.7MB

MD5
e0a5c7191e00ea683c4e73b1c80b8823

SHA1
8349e708101ba87a868fcf7cb4d00b91f1620ff6

SHA256
95dd221630d172703a90842a31b0e25a97f98c236e7a4cc09e5dc5862d8d0370

SHA512
1f2c10f8205952f613f406d7ea1c4d4bcdf6c71286ca4db859e3a131b4ee30af86f0e35cbcd58e3cd2d8f05a7e4a5be4dede910980b0afbfc44b7fea4d9224fa

Download Submit
memory/228-153-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/228-167-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/228-154-0x00000252EF560000-0x00000252EF582000-memory.dmp

Filesize
136KB

Download
memory/228-148-0x00000252ECB40000-0x00000252ECE18000-memory.dmp

Filesize
2.8MB

Download
memory/228-143-0x0000000000000000-mapping.dmp

Download
memory/228-176-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/332-209-0x0000000000400000-0x0000000000876000-memory.dmp

Filesize
4.5MB

Download
memory/332-194-0x0000000000400000-0x0000000000876000-memory.dmp

Filesize
4.5MB

Download
memory/332-191-0x0000000000400000-0x0000000000876000-memory.dmp

Filesize
4.5MB

Download
memory/332-187-0x0000000000400000-0x0000000000876000-memory.dmp

Filesize
4.5MB

Download
memory/332-185-0x0000000000000000-mapping.dmp

Download
memory/816-147-0x0000000000000000-mapping.dmp

Download
memory/816-151-0x0000000000390000-0x0000000000644000-memory.dmp

Filesize
2.7MB

Download
memory/1560-180-0x0000000000000000-mapping.dmp

Download
memory/1740-200-0x0000000000000000-mapping.dmp

Download
memory/1912-199-0x0000000000000000-mapping.dmp

Download
memory/2156-172-0x0000000140000000-0x0000000140078000-memory.dmp

Filesize
480KB

Download
memory/2156-179-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/2156-173-0x0000000140000000-mapping.dmp

Download
memory/2156-208-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/2156-216-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/2220-196-0x0000000000000000-mapping.dmp

Download
memory/2220-197-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/2404-136-0x0000000000000000-mapping.dmp

Download
memory/2404-139-0x00000000003D0000-0x000000000062E000-memory.dmp

Filesize
2.4MB

Download
memory/2404-152-0x0000000005250000-0x0000000005272000-memory.dmp

Filesize
136KB

Download
memory/2480-133-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/2480-135-0x00000000054E0000-0x00000000054EA000-memory.dmp

Filesize
40KB

Download
memory/2480-132-0x0000000000950000-0x000000000098C000-memory.dmp

Filesize
240KB

Download
memory/2480-134-0x0000000005330000-0x00000000053C2000-memory.dmp

Filesize
584KB

Download
memory/2552-168-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-157-0x0000000000000000-mapping.dmp

Download
memory/2552-171-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/2552-164-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/2680-160-0x0000000000000000-mapping.dmp

Download
memory/3260-140-0x0000000000000000-mapping.dmp

Download
memory/3260-144-0x00000000002D0000-0x00000000006D6000-memory.dmp

Filesize
4.0MB

Download
memory/3516-166-0x0000000006E90000-0x0000000006EAA000-memory.dmp

Filesize
104KB

Download
memory/3516-155-0x0000000000000000-mapping.dmp

Download
memory/3516-159-0x0000000005B40000-0x0000000006168000-memory.dmp

Filesize
6.2MB

Download
memory/3656-165-0x0000000007320000-0x000000000799A000-memory.dmp

Filesize
6.5MB

Download
memory/3656-163-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/3656-158-0x0000000002660000-0x0000000002696000-memory.dmp

Filesize
216KB

Download
memory/3656-162-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/3656-161-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/3656-156-0x0000000000000000-mapping.dmp

Download
memory/3984-217-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/3984-211-0x0000000000000000-mapping.dmp

Download
memory/3984-215-0x00007FFD06F00000-0x00007FFD079C1000-memory.dmp

Filesize
10.8MB

Download
memory/4200-203-0x0000000000000000-mapping.dmp

Download
memory/4212-202-0x0000000000000000-mapping.dmp

Download
memory/4592-195-0x0000000005650000-0x000000000568C000-memory.dmp

Filesize
240KB

Download
memory/4592-207-0x0000000007280000-0x00000000072D0000-memory.dmp

Filesize
320KB

Download
memory/4592-206-0x0000000007200000-0x0000000007276000-memory.dmp

Filesize
472KB

Download
memory/4592-205-0x0000000008500000-0x0000000008A2C000-memory.dmp

Filesize
5.2MB

Download
memory/4592-204-0x0000000007E00000-0x0000000007FC2000-memory.dmp

Filesize
1.8MB

Download
memory/4592-193-0x00000000055E0000-0x00000000055F2000-memory.dmp

Filesize
72KB

Download
memory/4592-192-0x00000000056B0000-0x00000000057BA000-memory.dmp

Filesize
1.0MB

Download
memory/4592-190-0x0000000005B50000-0x0000000006168000-memory.dmp

Filesize
6.1MB

Download
memory/4592-183-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4592-182-0x0000000000000000-mapping.dmp

Download
memory/4972-201-0x0000000000000000-mapping.dmp

Download