Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2023, 10:54
Static task
static1
General
-
Target
c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe
-
Size
1.3MB
-
MD5
9a8ee1ee83d64b654a8bcab190eefe4a
-
SHA1
d7c15f6d0bd5c2e208038a8aae2002305f55ba2e
-
SHA256
c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8
-
SHA512
145a0abf8cc80b4f2fa3d8b68a77c6c9e0a4304543752742f4916e97b021d0ce7eab89661bc7a6874cb91840944d082e0377f202706dd1a18d52fb6827059695
-
SSDEEP
24576:yy35vC0g22SG/M2h7M31UMo76ySCUh0+bZgFRtYjsXc1tw:ZlC0gR1JAUMo76zC2tg3tYjekt
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Extracted
amadey
3.67
193.233.20.14/BR54nmB3/index.php
Extracted
redline
forma
193.233.20.24:4123
-
auth_value
50b8e065d7cb1e9e30786f7a370368f9
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dshQ80mD69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" gnKg49uK79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" gnKg49uK79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" besl92iS78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dshQ80mD69.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection dshQ80mD69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dshQ80mD69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" gnKg49uK79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" gnKg49uK79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" besl92iS78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" besl92iS78.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection besl92iS78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" besl92iS78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dshQ80mD69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" gnKg49uK79.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" besl92iS78.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dshQ80mD69.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/3920-182-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-183-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-185-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-187-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-189-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-191-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-193-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-195-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-197-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-199-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-201-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-203-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-208-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-210-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-212-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-214-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-216-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-218-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-220-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-222-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-224-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-226-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-228-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-230-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-232-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-234-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-236-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-238-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-240-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-242-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-244-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-246-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline behavioral1/memory/3920-248-0x00000000050F0000-0x000000000512E000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation hk22yN04ak73.exe Key value queried \REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 14 IoCs
pid Process 2196 ptCe8643ZB.exe 1420 ptOw1872rw.exe 1964 ptLs1024xU.exe 2104 ptyp6570Mr.exe 1520 ptRe1376uN.exe 228 besl92iS78.exe 3920 cuDd28Sy58.exe 2056 dshQ80mD69.exe 3668 fr79Hy3046da.exe 3632 gnKg49uK79.exe 3012 hk22yN04ak73.exe 4596 mnolyk.exe 1488 jxxd69ow02.exe 5108 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 3144 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" besl92iS78.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features dshQ80mD69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" dshQ80mD69.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" gnKg49uK79.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ptyp6570Mr.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ptCe8643ZB.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptyp6570Mr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ptLs1024xU.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptRe1376uN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" ptRe1376uN.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptCe8643ZB.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptOw1872rw.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ptOw1872rw.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptLs1024xU.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 1340 3920 WerFault.exe 96 4788 2056 WerFault.exe 100 624 3668 WerFault.exe 104 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2472 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 228 besl92iS78.exe 228 besl92iS78.exe 3920 cuDd28Sy58.exe 3920 cuDd28Sy58.exe 2056 dshQ80mD69.exe 2056 dshQ80mD69.exe 3668 fr79Hy3046da.exe 3668 fr79Hy3046da.exe 3632 gnKg49uK79.exe 3632 gnKg49uK79.exe 1488 jxxd69ow02.exe 1488 jxxd69ow02.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 228 besl92iS78.exe Token: SeDebugPrivilege 3920 cuDd28Sy58.exe Token: SeDebugPrivilege 2056 dshQ80mD69.exe Token: SeDebugPrivilege 3668 fr79Hy3046da.exe Token: SeDebugPrivilege 3632 gnKg49uK79.exe Token: SeDebugPrivilege 1488 jxxd69ow02.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2596 wrote to memory of 2196 2596 c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe 85 PID 2596 wrote to memory of 2196 2596 c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe 85 PID 2596 wrote to memory of 2196 2596 c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe 85 PID 2196 wrote to memory of 1420 2196 ptCe8643ZB.exe 86 PID 2196 wrote to memory of 1420 2196 ptCe8643ZB.exe 86 PID 2196 wrote to memory of 1420 2196 ptCe8643ZB.exe 86 PID 1420 wrote to memory of 1964 1420 ptOw1872rw.exe 87 PID 1420 wrote to memory of 1964 1420 ptOw1872rw.exe 87 PID 1420 wrote to memory of 1964 1420 ptOw1872rw.exe 87 PID 1964 wrote to memory of 2104 1964 ptLs1024xU.exe 88 PID 1964 wrote to memory of 2104 1964 ptLs1024xU.exe 88 PID 1964 wrote to memory of 2104 1964 ptLs1024xU.exe 88 PID 2104 wrote to memory of 1520 2104 ptyp6570Mr.exe 89 PID 2104 wrote to memory of 1520 2104 ptyp6570Mr.exe 89 PID 2104 wrote to memory of 1520 2104 ptyp6570Mr.exe 89 PID 1520 wrote to memory of 228 1520 ptRe1376uN.exe 90 PID 1520 wrote to memory of 228 1520 ptRe1376uN.exe 90 PID 1520 wrote to memory of 3920 1520 ptRe1376uN.exe 96 PID 1520 wrote to memory of 3920 1520 ptRe1376uN.exe 96 PID 1520 wrote to memory of 3920 1520 ptRe1376uN.exe 96 PID 2104 wrote to memory of 2056 2104 ptyp6570Mr.exe 100 PID 2104 wrote to memory of 2056 2104 ptyp6570Mr.exe 100 PID 2104 wrote to memory of 2056 2104 ptyp6570Mr.exe 100 PID 1964 wrote to memory of 3668 1964 ptLs1024xU.exe 104 PID 1964 wrote to memory of 3668 1964 ptLs1024xU.exe 104 PID 1964 wrote to memory of 3668 1964 ptLs1024xU.exe 104 PID 1420 wrote to memory of 3632 1420 ptOw1872rw.exe 107 PID 1420 wrote to memory of 3632 1420 ptOw1872rw.exe 107 PID 2196 wrote to memory of 3012 2196 ptCe8643ZB.exe 108 PID 2196 wrote to memory of 3012 2196 ptCe8643ZB.exe 108 PID 2196 wrote to memory of 3012 2196 ptCe8643ZB.exe 108 PID 3012 wrote to memory of 4596 3012 hk22yN04ak73.exe 109 PID 3012 wrote to memory of 4596 3012 hk22yN04ak73.exe 109 PID 3012 wrote to memory of 4596 3012 hk22yN04ak73.exe 109 PID 2596 wrote to memory of 1488 2596 c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe 110 PID 2596 wrote to memory of 1488 2596 c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe 110 PID 2596 wrote to memory of 1488 2596 c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe 110 PID 4596 wrote to memory of 2472 4596 mnolyk.exe 111 PID 4596 wrote to memory of 2472 4596 mnolyk.exe 111 PID 4596 wrote to memory of 2472 4596 mnolyk.exe 111 PID 4596 wrote to memory of 3108 4596 mnolyk.exe 113 PID 4596 wrote to memory of 3108 4596 mnolyk.exe 113 PID 4596 wrote to memory of 3108 4596 mnolyk.exe 113 PID 3108 wrote to memory of 1388 3108 cmd.exe 115 PID 3108 wrote to memory of 1388 3108 cmd.exe 115 PID 3108 wrote to memory of 1388 3108 cmd.exe 115 PID 3108 wrote to memory of 2520 3108 cmd.exe 116 PID 3108 wrote to memory of 2520 3108 cmd.exe 116 PID 3108 wrote to memory of 2520 3108 cmd.exe 116 PID 3108 wrote to memory of 3844 3108 cmd.exe 117 PID 3108 wrote to memory of 3844 3108 cmd.exe 117 PID 3108 wrote to memory of 3844 3108 cmd.exe 117 PID 3108 wrote to memory of 4872 3108 cmd.exe 118 PID 3108 wrote to memory of 4872 3108 cmd.exe 118 PID 3108 wrote to memory of 4872 3108 cmd.exe 118 PID 3108 wrote to memory of 4940 3108 cmd.exe 119 PID 3108 wrote to memory of 4940 3108 cmd.exe 119 PID 3108 wrote to memory of 4940 3108 cmd.exe 119 PID 3108 wrote to memory of 4656 3108 cmd.exe 120 PID 3108 wrote to memory of 4656 3108 cmd.exe 120 PID 3108 wrote to memory of 4656 3108 cmd.exe 120 PID 4596 wrote to memory of 3144 4596 mnolyk.exe 123 PID 4596 wrote to memory of 3144 4596 mnolyk.exe 123 PID 4596 wrote to memory of 3144 4596 mnolyk.exe 123
Processes
-
C:\Users\Admin\AppData\Local\Temp\c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe"C:\Users\Admin\AppData\Local\Temp\c24349061630cb4062b0a9723ad07f638e70b991f7e4ea2ed4549cdc316ea4a8.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCe8643ZB.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptCe8643ZB.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptOw1872rw.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptOw1872rw.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptLs1024xU.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptLs1024xU.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptyp6570Mr.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptyp6570Mr.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptRe1376uN.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptRe1376uN.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\besl92iS78.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\besl92iS78.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:228
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuDd28Sy58.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuDd28Sy58.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3920 -s 16328⤵
- Program crash
PID:1340
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dshQ80mD69.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dshQ80mD69.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 10807⤵
- Program crash
PID:4788
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fr79Hy3046da.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fr79Hy3046da.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3668 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3668 -s 13166⤵
- Program crash
PID:624
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gnKg49uK79.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gnKg49uK79.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3632
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk22yN04ak73.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk22yN04ak73.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe" /F5⤵
- Creates scheduled task(s)
PID:2472
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\465af4af92" /P "Admin:N"&&CACLS "..\465af4af92" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1388
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"6⤵PID:2520
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E6⤵PID:3844
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4872
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\465af4af92" /P "Admin:N"6⤵PID:4940
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\465af4af92" /P "Admin:R" /E6⤵PID:4656
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main5⤵
- Loads dropped DLL
PID:3144
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxxd69ow02.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxxd69ow02.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3920 -ip 39201⤵PID:3908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2056 -ip 20561⤵PID:3472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3668 -ip 36681⤵PID:1052
-
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe1⤵
- Executes dropped EXE
PID:5108
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD51e92c5bc6f5fe7b36775717e27e31ee0
SHA1969d49694d670a75d0d6cefd461974024ab9665a
SHA256a9c64dc96bcc9185fb34d765058b73c4057a8cb76d968f0c3334a31497ed73f8
SHA512f01e051d6db864c44531decd842bb909161fd79c7ce13a30216bd7c70e445f89819f67aaebf73539efe401a839ceecdfe10442c6c15a2ebc3bec10a5412b593b
-
Filesize
240KB
MD51e92c5bc6f5fe7b36775717e27e31ee0
SHA1969d49694d670a75d0d6cefd461974024ab9665a
SHA256a9c64dc96bcc9185fb34d765058b73c4057a8cb76d968f0c3334a31497ed73f8
SHA512f01e051d6db864c44531decd842bb909161fd79c7ce13a30216bd7c70e445f89819f67aaebf73539efe401a839ceecdfe10442c6c15a2ebc3bec10a5412b593b
-
Filesize
240KB
MD51e92c5bc6f5fe7b36775717e27e31ee0
SHA1969d49694d670a75d0d6cefd461974024ab9665a
SHA256a9c64dc96bcc9185fb34d765058b73c4057a8cb76d968f0c3334a31497ed73f8
SHA512f01e051d6db864c44531decd842bb909161fd79c7ce13a30216bd7c70e445f89819f67aaebf73539efe401a839ceecdfe10442c6c15a2ebc3bec10a5412b593b
-
Filesize
240KB
MD51e92c5bc6f5fe7b36775717e27e31ee0
SHA1969d49694d670a75d0d6cefd461974024ab9665a
SHA256a9c64dc96bcc9185fb34d765058b73c4057a8cb76d968f0c3334a31497ed73f8
SHA512f01e051d6db864c44531decd842bb909161fd79c7ce13a30216bd7c70e445f89819f67aaebf73539efe401a839ceecdfe10442c6c15a2ebc3bec10a5412b593b
-
Filesize
177KB
MD59bfae918bb5763484137926f16d8040d
SHA10e3ba588965f7a55cf69cd3199787e064e1cd584
SHA256a7da29582c4631770323917d5aa5208f8c20607e5971347420ec3707a271e75b
SHA5127893b89b6131b15f62ba3f53a569e96cd7e099e524fd3c87257bd81366192422c0eaa17c284b94eda50bc7b40be442f538b6d8b76a4cc42d4da79cd41133b3be
-
Filesize
177KB
MD59bfae918bb5763484137926f16d8040d
SHA10e3ba588965f7a55cf69cd3199787e064e1cd584
SHA256a7da29582c4631770323917d5aa5208f8c20607e5971347420ec3707a271e75b
SHA5127893b89b6131b15f62ba3f53a569e96cd7e099e524fd3c87257bd81366192422c0eaa17c284b94eda50bc7b40be442f538b6d8b76a4cc42d4da79cd41133b3be
-
Filesize
1.2MB
MD5c898fe39360f0702813a285a4f9342c9
SHA15060205c0842ce7f514e1990b43a8e66dcbb2731
SHA2569cf2e4ca07871324855997099174b41b0c95ec617f5225505b244c3343b9c948
SHA512921c7667cce5e06880d5a92f0b505d74d501b06e589b5bc79da606d7650c2e174bc1a3eca86c03733aee1ca630080a768cda611557efa404cf93fc17cb4770bf
-
Filesize
1.2MB
MD5c898fe39360f0702813a285a4f9342c9
SHA15060205c0842ce7f514e1990b43a8e66dcbb2731
SHA2569cf2e4ca07871324855997099174b41b0c95ec617f5225505b244c3343b9c948
SHA512921c7667cce5e06880d5a92f0b505d74d501b06e589b5bc79da606d7650c2e174bc1a3eca86c03733aee1ca630080a768cda611557efa404cf93fc17cb4770bf
-
Filesize
240KB
MD51e92c5bc6f5fe7b36775717e27e31ee0
SHA1969d49694d670a75d0d6cefd461974024ab9665a
SHA256a9c64dc96bcc9185fb34d765058b73c4057a8cb76d968f0c3334a31497ed73f8
SHA512f01e051d6db864c44531decd842bb909161fd79c7ce13a30216bd7c70e445f89819f67aaebf73539efe401a839ceecdfe10442c6c15a2ebc3bec10a5412b593b
-
Filesize
240KB
MD51e92c5bc6f5fe7b36775717e27e31ee0
SHA1969d49694d670a75d0d6cefd461974024ab9665a
SHA256a9c64dc96bcc9185fb34d765058b73c4057a8cb76d968f0c3334a31497ed73f8
SHA512f01e051d6db864c44531decd842bb909161fd79c7ce13a30216bd7c70e445f89819f67aaebf73539efe401a839ceecdfe10442c6c15a2ebc3bec10a5412b593b
-
Filesize
994KB
MD5b91b084f2c47b48cd23dc53d739a1030
SHA149dc03a865a32a2586d0226123103447107bac4b
SHA2565ab973ff90e722d811943268a2b6a27c1e3ed1579ca7857d558bc1a30d34881a
SHA512b9c99154864f83f1b94e55dbc38e8edb4b8bb03f86c76956fbb17b9cf76897156caf8f549f3e9f338785867f649794c48c84b7a929d99db9ee640eb84df76e32
-
Filesize
994KB
MD5b91b084f2c47b48cd23dc53d739a1030
SHA149dc03a865a32a2586d0226123103447107bac4b
SHA2565ab973ff90e722d811943268a2b6a27c1e3ed1579ca7857d558bc1a30d34881a
SHA512b9c99154864f83f1b94e55dbc38e8edb4b8bb03f86c76956fbb17b9cf76897156caf8f549f3e9f338785867f649794c48c84b7a929d99db9ee640eb84df76e32
-
Filesize
16KB
MD5a0e5a85205f5f39ee9f04f12359083a6
SHA1cc3aec7510aac5ecf65305737449007597b51776
SHA25673dd848db5ab64a6e1597ee76c98d100fea08900535d066e0962472ec6f528b1
SHA51209aabcd72eaeaedaff4d3d6bb0a9d7f0b59b2d0fb9b3c84e2c7cc51574f13354080792c77d757f86ec6b41a4912698b5bdda30e11b61ddb12f85f8facbf51ac3
-
Filesize
16KB
MD5a0e5a85205f5f39ee9f04f12359083a6
SHA1cc3aec7510aac5ecf65305737449007597b51776
SHA25673dd848db5ab64a6e1597ee76c98d100fea08900535d066e0962472ec6f528b1
SHA51209aabcd72eaeaedaff4d3d6bb0a9d7f0b59b2d0fb9b3c84e2c7cc51574f13354080792c77d757f86ec6b41a4912698b5bdda30e11b61ddb12f85f8facbf51ac3
-
Filesize
894KB
MD5c584bb78c61a8d647ad83d0d22db18f2
SHA14f753d24b30cb9c0bd3d107e3d6f95a8362df7b0
SHA256e5abdcd05edc94113186273681be378fcab4f6e1449bccc09cb2a592931e1fba
SHA512a7a37d8bdc2d70f1c3101539d620c6499f2fca6ac80f53fe8af560c5bbc67205637be6e0a11d185b1de80bc423ae9b15a91b741b1e6f4d2ca4c570bb7178e9e2
-
Filesize
894KB
MD5c584bb78c61a8d647ad83d0d22db18f2
SHA14f753d24b30cb9c0bd3d107e3d6f95a8362df7b0
SHA256e5abdcd05edc94113186273681be378fcab4f6e1449bccc09cb2a592931e1fba
SHA512a7a37d8bdc2d70f1c3101539d620c6499f2fca6ac80f53fe8af560c5bbc67205637be6e0a11d185b1de80bc423ae9b15a91b741b1e6f4d2ca4c570bb7178e9e2
-
Filesize
302KB
MD547edc698fb60063cef4e63ee2d5d05bc
SHA18f7bc644d7a378df490ab77d7b3b9b2a25a870fa
SHA2562561279e13e55b30c371c6d72c72bf9124697eec6395f1c1dfbbdd8ac3f5557f
SHA512b6c7b5288217bd01efe5ee9ec396dc7471240749a9f8998ddec34f7a2a073bfaa062e4a72986d0dcb73e283dc60e0cfcd0885a2e68014598e86277dd80082715
-
Filesize
302KB
MD547edc698fb60063cef4e63ee2d5d05bc
SHA18f7bc644d7a378df490ab77d7b3b9b2a25a870fa
SHA2562561279e13e55b30c371c6d72c72bf9124697eec6395f1c1dfbbdd8ac3f5557f
SHA512b6c7b5288217bd01efe5ee9ec396dc7471240749a9f8998ddec34f7a2a073bfaa062e4a72986d0dcb73e283dc60e0cfcd0885a2e68014598e86277dd80082715
-
Filesize
668KB
MD5e478c386d355952d9f49e72459638ac6
SHA17dca12cb1c96671704c38c27156922054c681942
SHA2568293e3f4950997829d64af0632856a757ef40b90ed9774a45a8303f2704e419d
SHA5127342575977519333c7f29ae7e45d84ae12ad994d744cbce72ad04a4cf974873462e3ca592e0d48ae31a6a7c6fb06ad35c3239eb99eef5c65805de96f9f0dc6de
-
Filesize
668KB
MD5e478c386d355952d9f49e72459638ac6
SHA17dca12cb1c96671704c38c27156922054c681942
SHA2568293e3f4950997829d64af0632856a757ef40b90ed9774a45a8303f2704e419d
SHA5127342575977519333c7f29ae7e45d84ae12ad994d744cbce72ad04a4cf974873462e3ca592e0d48ae31a6a7c6fb06ad35c3239eb99eef5c65805de96f9f0dc6de
-
Filesize
245KB
MD5e6caaa2efb0cfb1c78d33f599f7111cd
SHA1399376044c0858e71b427ec0a6f3daadebec64ae
SHA2569d48837b57309f1cb4975cce80ae1b48ca9cd2eef242ba1638ca806287e79375
SHA51241ada8db6c43e7e2a093a9530ed5047c0b764e1f7ef9a7a70306b2295902afb7cfaaaff1d6e750ce966de3682f80ce95d435eb06b98a72050f499d3541f8d61c
-
Filesize
245KB
MD5e6caaa2efb0cfb1c78d33f599f7111cd
SHA1399376044c0858e71b427ec0a6f3daadebec64ae
SHA2569d48837b57309f1cb4975cce80ae1b48ca9cd2eef242ba1638ca806287e79375
SHA51241ada8db6c43e7e2a093a9530ed5047c0b764e1f7ef9a7a70306b2295902afb7cfaaaff1d6e750ce966de3682f80ce95d435eb06b98a72050f499d3541f8d61c
-
Filesize
391KB
MD517d7b63caa8a45bec77261b9e0b5b326
SHA1669bcf14dca6f34d28d50851d1c691a0c70fba54
SHA25611c9e8b637f632a2eddbb48063e78b5a2bbc86ec54e5149a724ba0ab8567ddbf
SHA51213e582e285461e7262cff026cd480a097f09d6f998ffadb75f1cce457838d9ceb2f5681bfe2cb665e8577be403d4628d2219015710371074b955172f854e09b3
-
Filesize
391KB
MD517d7b63caa8a45bec77261b9e0b5b326
SHA1669bcf14dca6f34d28d50851d1c691a0c70fba54
SHA25611c9e8b637f632a2eddbb48063e78b5a2bbc86ec54e5149a724ba0ab8567ddbf
SHA51213e582e285461e7262cff026cd480a097f09d6f998ffadb75f1cce457838d9ceb2f5681bfe2cb665e8577be403d4628d2219015710371074b955172f854e09b3
-
Filesize
16KB
MD5d1685adb74317ff4745b888e94038736
SHA1ddd8acb7e038d2c9b20f9271a7dfe9fafe480589
SHA256d24cf348cce67751067d24390b54e82b77911778fc705bd3a3097f6ca1f5fe15
SHA512d95b4ec2f0aa648e13534638a8b740f34e4766d559ab9b0423ac2e03fb4d5ab90a7164251cc23c5a4434a0fdb592fa22b1779e8024cc9f939bf3f2674d383523
-
Filesize
16KB
MD5d1685adb74317ff4745b888e94038736
SHA1ddd8acb7e038d2c9b20f9271a7dfe9fafe480589
SHA256d24cf348cce67751067d24390b54e82b77911778fc705bd3a3097f6ca1f5fe15
SHA512d95b4ec2f0aa648e13534638a8b740f34e4766d559ab9b0423ac2e03fb4d5ab90a7164251cc23c5a4434a0fdb592fa22b1779e8024cc9f939bf3f2674d383523
-
Filesize
16KB
MD5d1685adb74317ff4745b888e94038736
SHA1ddd8acb7e038d2c9b20f9271a7dfe9fafe480589
SHA256d24cf348cce67751067d24390b54e82b77911778fc705bd3a3097f6ca1f5fe15
SHA512d95b4ec2f0aa648e13534638a8b740f34e4766d559ab9b0423ac2e03fb4d5ab90a7164251cc23c5a4434a0fdb592fa22b1779e8024cc9f939bf3f2674d383523
-
Filesize
302KB
MD547edc698fb60063cef4e63ee2d5d05bc
SHA18f7bc644d7a378df490ab77d7b3b9b2a25a870fa
SHA2562561279e13e55b30c371c6d72c72bf9124697eec6395f1c1dfbbdd8ac3f5557f
SHA512b6c7b5288217bd01efe5ee9ec396dc7471240749a9f8998ddec34f7a2a073bfaa062e4a72986d0dcb73e283dc60e0cfcd0885a2e68014598e86277dd80082715
-
Filesize
302KB
MD547edc698fb60063cef4e63ee2d5d05bc
SHA18f7bc644d7a378df490ab77d7b3b9b2a25a870fa
SHA2562561279e13e55b30c371c6d72c72bf9124697eec6395f1c1dfbbdd8ac3f5557f
SHA512b6c7b5288217bd01efe5ee9ec396dc7471240749a9f8998ddec34f7a2a073bfaa062e4a72986d0dcb73e283dc60e0cfcd0885a2e68014598e86277dd80082715
-
Filesize
302KB
MD547edc698fb60063cef4e63ee2d5d05bc
SHA18f7bc644d7a378df490ab77d7b3b9b2a25a870fa
SHA2562561279e13e55b30c371c6d72c72bf9124697eec6395f1c1dfbbdd8ac3f5557f
SHA512b6c7b5288217bd01efe5ee9ec396dc7471240749a9f8998ddec34f7a2a073bfaa062e4a72986d0dcb73e283dc60e0cfcd0885a2e68014598e86277dd80082715
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5