Analysis
-
max time kernel
114s -
max time network
115s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
01-03-2023 13:53
Static task
static1
General
-
Target
8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe
-
Size
1.3MB
-
MD5
9bac4a40bd55765cf87627dfe41a32a7
-
SHA1
fd23f3266bdbb25563a7d7846b8550d62d4ae70d
-
SHA256
8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532
-
SHA512
2cee586270a7c5a8acf680965811703842c5355743b0f45bb147153133459e4d3ad0c8c5a2cfc633bed8fc86f7bd23ed18fbb976dd426cfb77b603739f9063a2
-
SSDEEP
24576:Pyv4pCM0dOSD0ePy2eI67GL/WwyoOnGsKfYhiylJkqodpcfejLHOZIZJFQx:aApCHdJDda2e6TyLnAfLylOpWWLHOZI
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Extracted
amadey
3.67
193.233.20.14/BR54nmB3/index.php
Extracted
redline
forma
193.233.20.24:4123
-
auth_value
50b8e065d7cb1e9e30786f7a370368f9
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" beGD29OY91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" gnAY77ll42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" gnAY77ll42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" beGD29OY91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" beGD29OY91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" beGD29OY91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dsti64YR54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dsti64YR54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dsti64YR54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" gnAY77ll42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" gnAY77ll42.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" beGD29OY91.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dsti64YR54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dsti64YR54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" gnAY77ll42.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 38 IoCs
resource yara_rule behavioral1/memory/1388-165-0x0000000002110000-0x0000000002156000-memory.dmp family_redline behavioral1/memory/1388-167-0x0000000002300000-0x0000000002344000-memory.dmp family_redline behavioral1/memory/1388-168-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-169-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-171-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-173-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-175-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-177-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-179-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-181-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-188-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-186-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-190-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-192-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-194-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-196-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-198-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-200-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-202-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-204-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-206-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-208-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-210-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-212-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-214-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-216-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-218-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-220-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-222-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-224-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-226-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-228-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-230-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-232-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-234-0x0000000002300000-0x000000000233E000-memory.dmp family_redline behavioral1/memory/1388-1089-0x00000000021D0000-0x00000000021E0000-memory.dmp family_redline behavioral1/memory/4332-1141-0x0000000004AF0000-0x0000000004B34000-memory.dmp family_redline behavioral1/memory/4332-2055-0x0000000004C40000-0x0000000004C50000-memory.dmp family_redline -
Executes dropped EXE 14 IoCs
pid Process 4436 ptXn7370Yu.exe 4936 ptja4260ax.exe 2148 ptkn4522EO.exe 3508 ptwU2158sl.exe 2852 ptJm9975Ut.exe 4700 beGD29OY91.exe 1388 cuHq71pM90.exe 2644 dsti64YR54.exe 4332 fr51pL1507ry.exe 4712 gnAY77ll42.exe 4948 hk90HH34Mx61.exe 4856 mnolyk.exe 4912 jxyV33sV89.exe 1528 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 1712 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" beGD29OY91.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features dsti64YR54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" dsti64YR54.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" gnAY77ll42.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptkn4522EO.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptJm9975Ut.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptja4260ax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ptja4260ax.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ptkn4522EO.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptwU2158sl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ptwU2158sl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" ptJm9975Ut.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptXn7370Yu.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ptXn7370Yu.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3336 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4700 beGD29OY91.exe 4700 beGD29OY91.exe 1388 cuHq71pM90.exe 1388 cuHq71pM90.exe 2644 dsti64YR54.exe 2644 dsti64YR54.exe 4332 fr51pL1507ry.exe 4332 fr51pL1507ry.exe 4712 gnAY77ll42.exe 4712 gnAY77ll42.exe 4912 jxyV33sV89.exe 4912 jxyV33sV89.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4700 beGD29OY91.exe Token: SeDebugPrivilege 1388 cuHq71pM90.exe Token: SeDebugPrivilege 2644 dsti64YR54.exe Token: SeDebugPrivilege 4332 fr51pL1507ry.exe Token: SeDebugPrivilege 4712 gnAY77ll42.exe Token: SeDebugPrivilege 4912 jxyV33sV89.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3636 wrote to memory of 4436 3636 8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe 66 PID 3636 wrote to memory of 4436 3636 8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe 66 PID 3636 wrote to memory of 4436 3636 8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe 66 PID 4436 wrote to memory of 4936 4436 ptXn7370Yu.exe 67 PID 4436 wrote to memory of 4936 4436 ptXn7370Yu.exe 67 PID 4436 wrote to memory of 4936 4436 ptXn7370Yu.exe 67 PID 4936 wrote to memory of 2148 4936 ptja4260ax.exe 68 PID 4936 wrote to memory of 2148 4936 ptja4260ax.exe 68 PID 4936 wrote to memory of 2148 4936 ptja4260ax.exe 68 PID 2148 wrote to memory of 3508 2148 ptkn4522EO.exe 69 PID 2148 wrote to memory of 3508 2148 ptkn4522EO.exe 69 PID 2148 wrote to memory of 3508 2148 ptkn4522EO.exe 69 PID 3508 wrote to memory of 2852 3508 ptwU2158sl.exe 70 PID 3508 wrote to memory of 2852 3508 ptwU2158sl.exe 70 PID 3508 wrote to memory of 2852 3508 ptwU2158sl.exe 70 PID 2852 wrote to memory of 4700 2852 ptJm9975Ut.exe 71 PID 2852 wrote to memory of 4700 2852 ptJm9975Ut.exe 71 PID 2852 wrote to memory of 1388 2852 ptJm9975Ut.exe 72 PID 2852 wrote to memory of 1388 2852 ptJm9975Ut.exe 72 PID 2852 wrote to memory of 1388 2852 ptJm9975Ut.exe 72 PID 3508 wrote to memory of 2644 3508 ptwU2158sl.exe 74 PID 3508 wrote to memory of 2644 3508 ptwU2158sl.exe 74 PID 3508 wrote to memory of 2644 3508 ptwU2158sl.exe 74 PID 2148 wrote to memory of 4332 2148 ptkn4522EO.exe 75 PID 2148 wrote to memory of 4332 2148 ptkn4522EO.exe 75 PID 2148 wrote to memory of 4332 2148 ptkn4522EO.exe 75 PID 4936 wrote to memory of 4712 4936 ptja4260ax.exe 76 PID 4936 wrote to memory of 4712 4936 ptja4260ax.exe 76 PID 4436 wrote to memory of 4948 4436 ptXn7370Yu.exe 77 PID 4436 wrote to memory of 4948 4436 ptXn7370Yu.exe 77 PID 4436 wrote to memory of 4948 4436 ptXn7370Yu.exe 77 PID 4948 wrote to memory of 4856 4948 hk90HH34Mx61.exe 78 PID 4948 wrote to memory of 4856 4948 hk90HH34Mx61.exe 78 PID 4948 wrote to memory of 4856 4948 hk90HH34Mx61.exe 78 PID 3636 wrote to memory of 4912 3636 8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe 79 PID 3636 wrote to memory of 4912 3636 8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe 79 PID 3636 wrote to memory of 4912 3636 8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe 79 PID 4856 wrote to memory of 3336 4856 mnolyk.exe 80 PID 4856 wrote to memory of 3336 4856 mnolyk.exe 80 PID 4856 wrote to memory of 3336 4856 mnolyk.exe 80 PID 4856 wrote to memory of 2228 4856 mnolyk.exe 81 PID 4856 wrote to memory of 2228 4856 mnolyk.exe 81 PID 4856 wrote to memory of 2228 4856 mnolyk.exe 81 PID 2228 wrote to memory of 4200 2228 cmd.exe 84 PID 2228 wrote to memory of 4200 2228 cmd.exe 84 PID 2228 wrote to memory of 4200 2228 cmd.exe 84 PID 2228 wrote to memory of 664 2228 cmd.exe 85 PID 2228 wrote to memory of 664 2228 cmd.exe 85 PID 2228 wrote to memory of 664 2228 cmd.exe 85 PID 2228 wrote to memory of 1136 2228 cmd.exe 86 PID 2228 wrote to memory of 1136 2228 cmd.exe 86 PID 2228 wrote to memory of 1136 2228 cmd.exe 86 PID 2228 wrote to memory of 868 2228 cmd.exe 87 PID 2228 wrote to memory of 868 2228 cmd.exe 87 PID 2228 wrote to memory of 868 2228 cmd.exe 87 PID 2228 wrote to memory of 1148 2228 cmd.exe 88 PID 2228 wrote to memory of 1148 2228 cmd.exe 88 PID 2228 wrote to memory of 1148 2228 cmd.exe 88 PID 2228 wrote to memory of 824 2228 cmd.exe 89 PID 2228 wrote to memory of 824 2228 cmd.exe 89 PID 2228 wrote to memory of 824 2228 cmd.exe 89 PID 4856 wrote to memory of 1712 4856 mnolyk.exe 91 PID 4856 wrote to memory of 1712 4856 mnolyk.exe 91 PID 4856 wrote to memory of 1712 4856 mnolyk.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe"C:\Users\Admin\AppData\Local\Temp\8fd55ddf213b7ed02a4b86023cd30ca0c6906a99e6eb73672f968f04b433a532.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptXn7370Yu.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptXn7370Yu.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptja4260ax.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptja4260ax.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptkn4522EO.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptkn4522EO.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptwU2158sl.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptwU2158sl.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptJm9975Ut.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptJm9975Ut.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beGD29OY91.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\beGD29OY91.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuHq71pM90.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuHq71pM90.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1388
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dsti64YR54.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dsti64YR54.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fr51pL1507ry.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fr51pL1507ry.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gnAY77ll42.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gnAY77ll42.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4712
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk90HH34Mx61.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk90HH34Mx61.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe" /F5⤵
- Creates scheduled task(s)
PID:3336
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\465af4af92" /P "Admin:N"&&CACLS "..\465af4af92" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4200
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"6⤵PID:664
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E6⤵PID:1136
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:868
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\465af4af92" /P "Admin:N"6⤵PID:1148
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\465af4af92" /P "Admin:R" /E6⤵PID:824
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main5⤵
- Loads dropped DLL
PID:1712
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxyV33sV89.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxyV33sV89.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4912
-
-
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe1⤵
- Executes dropped EXE
PID:1528
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5d4fc71e072e74a6fcd4616dd6413f947
SHA1639d2c935d768fa6b7c55e04b63c7934417a8578
SHA256b58a31fe06d627fd5b0e4c32fd731e4592d9d75eaa16f90e3b0aa74cfd8d8abd
SHA512724d08e51c8244bd7f2f513b146a54848e56872eb724d3efaa22e29e8d2dfabe3e54fb5042999c940501981407ea700e45aac8a616bac93f55bb7b257b26e040
-
Filesize
240KB
MD5d4fc71e072e74a6fcd4616dd6413f947
SHA1639d2c935d768fa6b7c55e04b63c7934417a8578
SHA256b58a31fe06d627fd5b0e4c32fd731e4592d9d75eaa16f90e3b0aa74cfd8d8abd
SHA512724d08e51c8244bd7f2f513b146a54848e56872eb724d3efaa22e29e8d2dfabe3e54fb5042999c940501981407ea700e45aac8a616bac93f55bb7b257b26e040
-
Filesize
240KB
MD5d4fc71e072e74a6fcd4616dd6413f947
SHA1639d2c935d768fa6b7c55e04b63c7934417a8578
SHA256b58a31fe06d627fd5b0e4c32fd731e4592d9d75eaa16f90e3b0aa74cfd8d8abd
SHA512724d08e51c8244bd7f2f513b146a54848e56872eb724d3efaa22e29e8d2dfabe3e54fb5042999c940501981407ea700e45aac8a616bac93f55bb7b257b26e040
-
Filesize
240KB
MD5d4fc71e072e74a6fcd4616dd6413f947
SHA1639d2c935d768fa6b7c55e04b63c7934417a8578
SHA256b58a31fe06d627fd5b0e4c32fd731e4592d9d75eaa16f90e3b0aa74cfd8d8abd
SHA512724d08e51c8244bd7f2f513b146a54848e56872eb724d3efaa22e29e8d2dfabe3e54fb5042999c940501981407ea700e45aac8a616bac93f55bb7b257b26e040
-
Filesize
177KB
MD59ae1d664332527030798bbc1aa8b42e5
SHA1364905906313cbd8ce57d7d1a596ce8681b981dc
SHA2562023cdc05ecd7aa90f6eee40774efefa26eda57a17f2c5716aa35713fab1bd21
SHA512a145b7e597441a7ef9c702abd33f4242a598bfb9bd5ecb40e45f95b29b72d09885cffcdd24a92bfd284a9266a27d80510eb75e1867764812c6153e895b908e5b
-
Filesize
177KB
MD59ae1d664332527030798bbc1aa8b42e5
SHA1364905906313cbd8ce57d7d1a596ce8681b981dc
SHA2562023cdc05ecd7aa90f6eee40774efefa26eda57a17f2c5716aa35713fab1bd21
SHA512a145b7e597441a7ef9c702abd33f4242a598bfb9bd5ecb40e45f95b29b72d09885cffcdd24a92bfd284a9266a27d80510eb75e1867764812c6153e895b908e5b
-
Filesize
1.2MB
MD5195faaaec2e1078b6a3254aea358317f
SHA18b844e8c93b14e3b06208b496eef2cd2555c51ee
SHA256411475a0fa5f2ff73de734942aa3e72bfdae9210ea321483a41636c16976a30c
SHA51271c986bd2494a46ee2a5c5b5f06958b691449f6fe02d236df0bbe5af96691f9a6694a4ce92976d7784d0cf540da6bafa881015a9c99c0ee89fd87f28d853436c
-
Filesize
1.2MB
MD5195faaaec2e1078b6a3254aea358317f
SHA18b844e8c93b14e3b06208b496eef2cd2555c51ee
SHA256411475a0fa5f2ff73de734942aa3e72bfdae9210ea321483a41636c16976a30c
SHA51271c986bd2494a46ee2a5c5b5f06958b691449f6fe02d236df0bbe5af96691f9a6694a4ce92976d7784d0cf540da6bafa881015a9c99c0ee89fd87f28d853436c
-
Filesize
240KB
MD5d4fc71e072e74a6fcd4616dd6413f947
SHA1639d2c935d768fa6b7c55e04b63c7934417a8578
SHA256b58a31fe06d627fd5b0e4c32fd731e4592d9d75eaa16f90e3b0aa74cfd8d8abd
SHA512724d08e51c8244bd7f2f513b146a54848e56872eb724d3efaa22e29e8d2dfabe3e54fb5042999c940501981407ea700e45aac8a616bac93f55bb7b257b26e040
-
Filesize
240KB
MD5d4fc71e072e74a6fcd4616dd6413f947
SHA1639d2c935d768fa6b7c55e04b63c7934417a8578
SHA256b58a31fe06d627fd5b0e4c32fd731e4592d9d75eaa16f90e3b0aa74cfd8d8abd
SHA512724d08e51c8244bd7f2f513b146a54848e56872eb724d3efaa22e29e8d2dfabe3e54fb5042999c940501981407ea700e45aac8a616bac93f55bb7b257b26e040
-
Filesize
996KB
MD5ac480c9a33de057ebdc66cb679ebb6e5
SHA190d4b59a716b048b2db103ebe6f66111c63e0d2d
SHA256ecc1d4ec91e3a9ffcf682130dc08b698f6fd7b031b9422ffd5ac1f1a6990969b
SHA512c3ebaa6f1d86fa1e6e62dfcd72e598e96534f5ac084686042c19fd3a24c8746495206a38231f1bd3b8923201b42e3b7965dd8db63ad7029984c53974d05e7512
-
Filesize
996KB
MD5ac480c9a33de057ebdc66cb679ebb6e5
SHA190d4b59a716b048b2db103ebe6f66111c63e0d2d
SHA256ecc1d4ec91e3a9ffcf682130dc08b698f6fd7b031b9422ffd5ac1f1a6990969b
SHA512c3ebaa6f1d86fa1e6e62dfcd72e598e96534f5ac084686042c19fd3a24c8746495206a38231f1bd3b8923201b42e3b7965dd8db63ad7029984c53974d05e7512
-
Filesize
17KB
MD5b01709913b0504acc34121f1edb52d91
SHA1aaddae620a6ecaf624ef755187f58b1cc62c941e
SHA256ce6e7ec6c414c5e5c7d85588af754d33e6f1576a0e5fb9a29ae4e93f1d7edd60
SHA5127abeb046b698f989c34b32eb91ceb77a96d7999e1e03ac96fb07115cb2520749b148de50cf3f81eeaba97b44fb174938821972fbf76b1a4fd5c2fdd7afe1d4e6
-
Filesize
17KB
MD5b01709913b0504acc34121f1edb52d91
SHA1aaddae620a6ecaf624ef755187f58b1cc62c941e
SHA256ce6e7ec6c414c5e5c7d85588af754d33e6f1576a0e5fb9a29ae4e93f1d7edd60
SHA5127abeb046b698f989c34b32eb91ceb77a96d7999e1e03ac96fb07115cb2520749b148de50cf3f81eeaba97b44fb174938821972fbf76b1a4fd5c2fdd7afe1d4e6
-
Filesize
893KB
MD548168c2a2ba410a729b57e44937748ad
SHA1591ae5b1aa3ee93d9c82ad84aa5558b19eb1e918
SHA2560b98a119e3b1d3603ba9301f8dfa76e040ac2ce67c4ebd3f2909249e1f4e39dd
SHA5124f14b4821bd940fef1c1413468d106123158a72654f80899644aa0abbc3408b96106a24690ba820604ff8443ef319e9599e8846e4368cd385ca5d1b3505479c6
-
Filesize
893KB
MD548168c2a2ba410a729b57e44937748ad
SHA1591ae5b1aa3ee93d9c82ad84aa5558b19eb1e918
SHA2560b98a119e3b1d3603ba9301f8dfa76e040ac2ce67c4ebd3f2909249e1f4e39dd
SHA5124f14b4821bd940fef1c1413468d106123158a72654f80899644aa0abbc3408b96106a24690ba820604ff8443ef319e9599e8846e4368cd385ca5d1b3505479c6
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
667KB
MD5c57f29e2d79dab38eede24d1951ecbfc
SHA1d871a7bf4e0a14c1221d309e2035220f4a6fc438
SHA256bcdfc4e5148166ad124c00b85c5af3a5aef6c2b50fc24c87b2df93eeea3d4715
SHA512371eba6f7e19f0c16562bc18b1e5902dbb110d821f219cf574e1e1766ad76bcc9a9959da9632ccc5540eb5500ca98236bcb938c8ac675ff6c6973ffd254ae43b
-
Filesize
667KB
MD5c57f29e2d79dab38eede24d1951ecbfc
SHA1d871a7bf4e0a14c1221d309e2035220f4a6fc438
SHA256bcdfc4e5148166ad124c00b85c5af3a5aef6c2b50fc24c87b2df93eeea3d4715
SHA512371eba6f7e19f0c16562bc18b1e5902dbb110d821f219cf574e1e1766ad76bcc9a9959da9632ccc5540eb5500ca98236bcb938c8ac675ff6c6973ffd254ae43b
-
Filesize
246KB
MD597c977c85d447742b3e217de53a0f069
SHA1053a758567d8c26f1aea1e74382133097d8ba74d
SHA256ac0fc7e08ddc3011896c384bd8ac2eb0211fed7f54721c0507cece204b33020d
SHA51214fd5ee91e2fb793460e6050eec49b5de99779ca39b5b42f4517499ae313b7955fb53b91f62e2a948468b37b5d257ba30c87c45879784e02d7263380db63e129
-
Filesize
246KB
MD597c977c85d447742b3e217de53a0f069
SHA1053a758567d8c26f1aea1e74382133097d8ba74d
SHA256ac0fc7e08ddc3011896c384bd8ac2eb0211fed7f54721c0507cece204b33020d
SHA51214fd5ee91e2fb793460e6050eec49b5de99779ca39b5b42f4517499ae313b7955fb53b91f62e2a948468b37b5d257ba30c87c45879784e02d7263380db63e129
-
Filesize
391KB
MD54e803dd124b35740df8a7250003bd9e0
SHA1c72f68dc68ff4de45f056ac01f54e66ede467396
SHA2569a98016ad205a19b09950661231f704a97e0fe6ad3af999014686ad134b601b5
SHA512be9c856166546321eb6c2734bc8f77edbb65998a992ebc5a108fcc81c3f39a87b5db849a53b3265b16fd264f52ab9a7338a74acfa28fb9545466ae027fa5d363
-
Filesize
391KB
MD54e803dd124b35740df8a7250003bd9e0
SHA1c72f68dc68ff4de45f056ac01f54e66ede467396
SHA2569a98016ad205a19b09950661231f704a97e0fe6ad3af999014686ad134b601b5
SHA512be9c856166546321eb6c2734bc8f77edbb65998a992ebc5a108fcc81c3f39a87b5db849a53b3265b16fd264f52ab9a7338a74acfa28fb9545466ae027fa5d363
-
Filesize
17KB
MD5eff5559adcb77fe1642dceff43c4b444
SHA1d86a93343b535ee592d4f20935c56164bad1049e
SHA256ef697311afcfd0880d355cde4a8c4d8dabc87a7e663cf20e74496d73a242c3a5
SHA512d0bd1371365b3d1f1625a0fefcbbf6c10847dc1366c0e7206527d6b86c7b9e48ec49616586cec1d9e541e51e47c9954a0c1238fe6c52945bc5b1231ad396037b
-
Filesize
17KB
MD5eff5559adcb77fe1642dceff43c4b444
SHA1d86a93343b535ee592d4f20935c56164bad1049e
SHA256ef697311afcfd0880d355cde4a8c4d8dabc87a7e663cf20e74496d73a242c3a5
SHA512d0bd1371365b3d1f1625a0fefcbbf6c10847dc1366c0e7206527d6b86c7b9e48ec49616586cec1d9e541e51e47c9954a0c1238fe6c52945bc5b1231ad396037b
-
Filesize
17KB
MD5eff5559adcb77fe1642dceff43c4b444
SHA1d86a93343b535ee592d4f20935c56164bad1049e
SHA256ef697311afcfd0880d355cde4a8c4d8dabc87a7e663cf20e74496d73a242c3a5
SHA512d0bd1371365b3d1f1625a0fefcbbf6c10847dc1366c0e7206527d6b86c7b9e48ec49616586cec1d9e541e51e47c9954a0c1238fe6c52945bc5b1231ad396037b
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
304KB
MD5ad61b513e0bbc3784d0c28ba13ab19ff
SHA10d86785da45331516385d7d72e18457e32b89aed
SHA2565e58f65612a82a7a2a61a80f45d1cc0d756372bc05a8160e1d962270d2e1b037
SHA51280d72ceb8b82f962a85381078abf4826412537604ff74749d05ff926f79ca143107219d217520050561b09675b04bfef14ddee37b2dc4818a84bf04c785afe0a
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78