Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-03-2023 16:02
Static task
static1
General
-
Target
5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe
-
Size
1.3MB
-
MD5
a16b63f54d6f6da5cd5fa5144267e346
-
SHA1
f7793a2aa51ab11d7c07f2cad5df0616314ad945
-
SHA256
5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257
-
SHA512
bba0cfd5a58a18ab0126bdf1969f40f01daaaf0f295b5513f8cb9f6862b35ae116fc3cd3646a8968fd3877f48d65d458f3e40abb2978b290e8e88ca6f18fe831
-
SSDEEP
24576:8yd1D3org/jkhCQ5PK5SSd5NHx5F04LS/2ouCxAf9NeSMMOmp:rdryCQls7d152E9Nw
Malware Config
Extracted
redline
rumfa
193.233.20.24:4123
-
auth_value
749d02a6b4ef1fa2ad908e44ec2296dc
Extracted
amadey
3.67
193.233.20.15/dF30Hn4m/index.php
Extracted
redline
forma
193.233.20.24:4123
-
auth_value
50b8e065d7cb1e9e30786f7a370368f9
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" iBI17Dx80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" mMs17zM55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" mMs17zM55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" rpN47Ke05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" rpN47Ke05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" iBI17Dx80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" iBI17Dx80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" rpN47Ke05.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection iBI17Dx80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" mMs17zM55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" rpN47Ke05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" rpN47Ke05.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" iBI17Dx80.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection mMs17zM55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" mMs17zM55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" iBI17Dx80.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" mMs17zM55.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/3188-187-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-190-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-188-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-192-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-194-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-196-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-198-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-200-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-202-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-204-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-206-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-208-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-210-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-212-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-214-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-216-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-218-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-220-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-222-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-224-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-226-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-228-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-230-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-232-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-234-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-236-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-238-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-240-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-242-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-244-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-246-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/3188-248-0x0000000002810000-0x000000000284E000-memory.dmp family_redline behavioral1/memory/2200-1223-0x0000000004B30000-0x0000000004B40000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation sf15oC91cW88.exe Key value queried \REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation mnolyk.exe -
Executes dropped EXE 15 IoCs
pid Process 1624 vmKB67Gv38.exe 1088 vmps02kl12.exe 244 vmgs84ZY64.exe 1352 vmvj99uq82.exe 5100 vmKn37Id78.exe 4084 iBI17Dx80.exe 3188 kIS19Vy51.exe 4752 mMs17zM55.exe 2200 nkt05os27.exe 1016 rpN47Ke05.exe 4996 sf15oC91cW88.exe 3004 mnolyk.exe 3484 tv78rI16kw99.exe 4600 mnolyk.exe 4024 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 4316 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" iBI17Dx80.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features mMs17zM55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" mMs17zM55.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" rpN47Ke05.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmgs84ZY64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" vmgs84ZY64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" vmvj99uq82.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmKn37Id78.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmKB67Gv38.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" vmKB67Gv38.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmps02kl12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" vmps02kl12.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" vmKn37Id78.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vmvj99uq82.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4320 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 5036 3188 WerFault.exe 95 4852 4752 WerFault.exe 99 1780 2200 WerFault.exe 105 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4684 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 4084 iBI17Dx80.exe 4084 iBI17Dx80.exe 3188 kIS19Vy51.exe 3188 kIS19Vy51.exe 4752 mMs17zM55.exe 4752 mMs17zM55.exe 2200 nkt05os27.exe 2200 nkt05os27.exe 1016 rpN47Ke05.exe 1016 rpN47Ke05.exe 3484 tv78rI16kw99.exe 3484 tv78rI16kw99.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 4084 iBI17Dx80.exe Token: SeDebugPrivilege 3188 kIS19Vy51.exe Token: SeDebugPrivilege 4752 mMs17zM55.exe Token: SeDebugPrivilege 2200 nkt05os27.exe Token: SeDebugPrivilege 1016 rpN47Ke05.exe Token: SeDebugPrivilege 3484 tv78rI16kw99.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 652 wrote to memory of 1624 652 5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe 86 PID 652 wrote to memory of 1624 652 5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe 86 PID 652 wrote to memory of 1624 652 5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe 86 PID 1624 wrote to memory of 1088 1624 vmKB67Gv38.exe 87 PID 1624 wrote to memory of 1088 1624 vmKB67Gv38.exe 87 PID 1624 wrote to memory of 1088 1624 vmKB67Gv38.exe 87 PID 1088 wrote to memory of 244 1088 vmps02kl12.exe 88 PID 1088 wrote to memory of 244 1088 vmps02kl12.exe 88 PID 1088 wrote to memory of 244 1088 vmps02kl12.exe 88 PID 244 wrote to memory of 1352 244 vmgs84ZY64.exe 89 PID 244 wrote to memory of 1352 244 vmgs84ZY64.exe 89 PID 244 wrote to memory of 1352 244 vmgs84ZY64.exe 89 PID 1352 wrote to memory of 5100 1352 vmvj99uq82.exe 90 PID 1352 wrote to memory of 5100 1352 vmvj99uq82.exe 90 PID 1352 wrote to memory of 5100 1352 vmvj99uq82.exe 90 PID 5100 wrote to memory of 4084 5100 vmKn37Id78.exe 91 PID 5100 wrote to memory of 4084 5100 vmKn37Id78.exe 91 PID 5100 wrote to memory of 3188 5100 vmKn37Id78.exe 95 PID 5100 wrote to memory of 3188 5100 vmKn37Id78.exe 95 PID 5100 wrote to memory of 3188 5100 vmKn37Id78.exe 95 PID 1352 wrote to memory of 4752 1352 vmvj99uq82.exe 99 PID 1352 wrote to memory of 4752 1352 vmvj99uq82.exe 99 PID 1352 wrote to memory of 4752 1352 vmvj99uq82.exe 99 PID 244 wrote to memory of 2200 244 vmgs84ZY64.exe 105 PID 244 wrote to memory of 2200 244 vmgs84ZY64.exe 105 PID 244 wrote to memory of 2200 244 vmgs84ZY64.exe 105 PID 1088 wrote to memory of 1016 1088 vmps02kl12.exe 108 PID 1088 wrote to memory of 1016 1088 vmps02kl12.exe 108 PID 1624 wrote to memory of 4996 1624 vmKB67Gv38.exe 109 PID 1624 wrote to memory of 4996 1624 vmKB67Gv38.exe 109 PID 1624 wrote to memory of 4996 1624 vmKB67Gv38.exe 109 PID 4996 wrote to memory of 3004 4996 sf15oC91cW88.exe 110 PID 4996 wrote to memory of 3004 4996 sf15oC91cW88.exe 110 PID 4996 wrote to memory of 3004 4996 sf15oC91cW88.exe 110 PID 652 wrote to memory of 3484 652 5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe 111 PID 652 wrote to memory of 3484 652 5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe 111 PID 652 wrote to memory of 3484 652 5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe 111 PID 3004 wrote to memory of 4684 3004 mnolyk.exe 112 PID 3004 wrote to memory of 4684 3004 mnolyk.exe 112 PID 3004 wrote to memory of 4684 3004 mnolyk.exe 112 PID 3004 wrote to memory of 2800 3004 mnolyk.exe 114 PID 3004 wrote to memory of 2800 3004 mnolyk.exe 114 PID 3004 wrote to memory of 2800 3004 mnolyk.exe 114 PID 2800 wrote to memory of 1184 2800 cmd.exe 116 PID 2800 wrote to memory of 1184 2800 cmd.exe 116 PID 2800 wrote to memory of 1184 2800 cmd.exe 116 PID 2800 wrote to memory of 792 2800 cmd.exe 117 PID 2800 wrote to memory of 792 2800 cmd.exe 117 PID 2800 wrote to memory of 792 2800 cmd.exe 117 PID 2800 wrote to memory of 3876 2800 cmd.exe 118 PID 2800 wrote to memory of 3876 2800 cmd.exe 118 PID 2800 wrote to memory of 3876 2800 cmd.exe 118 PID 2800 wrote to memory of 1080 2800 cmd.exe 119 PID 2800 wrote to memory of 1080 2800 cmd.exe 119 PID 2800 wrote to memory of 1080 2800 cmd.exe 119 PID 2800 wrote to memory of 180 2800 cmd.exe 120 PID 2800 wrote to memory of 180 2800 cmd.exe 120 PID 2800 wrote to memory of 180 2800 cmd.exe 120 PID 2800 wrote to memory of 3924 2800 cmd.exe 121 PID 2800 wrote to memory of 3924 2800 cmd.exe 121 PID 2800 wrote to memory of 3924 2800 cmd.exe 121 PID 3004 wrote to memory of 4316 3004 mnolyk.exe 131 PID 3004 wrote to memory of 4316 3004 mnolyk.exe 131 PID 3004 wrote to memory of 4316 3004 mnolyk.exe 131
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe"C:\Users\Admin\AppData\Local\Temp\5c2e75bf09b2b637a5bda868d2cad0a847e33ac925bcbb1cbc6c0f7952c90257.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmKB67Gv38.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vmKB67Gv38.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmps02kl12.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\vmps02kl12.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmgs84ZY64.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\vmgs84ZY64.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:244 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmvj99uq82.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\vmvj99uq82.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmKn37Id78.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\vmKn37Id78.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\iBI17Dx80.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\iBI17Dx80.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kIS19Vy51.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\kIS19Vy51.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 13408⤵
- Program crash
PID:5036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mMs17zM55.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\mMs17zM55.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 10647⤵
- Program crash
PID:4852
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nkt05os27.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\nkt05os27.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 13406⤵
- Program crash
PID:1780
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rpN47Ke05.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\rpN47Ke05.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf15oC91cW88.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\sf15oC91cW88.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe" /F5⤵
- Creates scheduled task(s)
PID:4684
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\4f9dd6f8a7" /P "Admin:N"&&CACLS "..\4f9dd6f8a7" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1184
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"6⤵PID:792
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E6⤵PID:3876
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1080
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4f9dd6f8a7" /P "Admin:N"6⤵PID:180
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\4f9dd6f8a7" /P "Admin:R" /E6⤵PID:3924
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main5⤵
- Loads dropped DLL
PID:4316
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv78rI16kw99.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv78rI16kw99.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3188 -ip 31881⤵PID:3644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4752 -ip 47521⤵PID:1320
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2200 -ip 22001⤵PID:3148
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe1⤵
- Executes dropped EXE
PID:4600
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:4320
-
C:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\4f9dd6f8a7\mnolyk.exe1⤵
- Executes dropped EXE
PID:4024
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
240KB
MD5009e87e41bc39123483e59c1dea50597
SHA16915fa46289c5fe698d3feae81078bb59389a294
SHA256838363715b47fdfaba56ea4f1eafcedbc682193700525097334138b497c89254
SHA5122a7b2754ad8ccffc4f26be1168ee9261028af66d28a7fb0fd11e4ce7509d8dbad9fbd4fc5f55e621aba4b4ac9b64b58abfcfe3f29896b01a7da8ff770d29d832
-
Filesize
240KB
MD5009e87e41bc39123483e59c1dea50597
SHA16915fa46289c5fe698d3feae81078bb59389a294
SHA256838363715b47fdfaba56ea4f1eafcedbc682193700525097334138b497c89254
SHA5122a7b2754ad8ccffc4f26be1168ee9261028af66d28a7fb0fd11e4ce7509d8dbad9fbd4fc5f55e621aba4b4ac9b64b58abfcfe3f29896b01a7da8ff770d29d832
-
Filesize
240KB
MD5009e87e41bc39123483e59c1dea50597
SHA16915fa46289c5fe698d3feae81078bb59389a294
SHA256838363715b47fdfaba56ea4f1eafcedbc682193700525097334138b497c89254
SHA5122a7b2754ad8ccffc4f26be1168ee9261028af66d28a7fb0fd11e4ce7509d8dbad9fbd4fc5f55e621aba4b4ac9b64b58abfcfe3f29896b01a7da8ff770d29d832
-
Filesize
240KB
MD5009e87e41bc39123483e59c1dea50597
SHA16915fa46289c5fe698d3feae81078bb59389a294
SHA256838363715b47fdfaba56ea4f1eafcedbc682193700525097334138b497c89254
SHA5122a7b2754ad8ccffc4f26be1168ee9261028af66d28a7fb0fd11e4ce7509d8dbad9fbd4fc5f55e621aba4b4ac9b64b58abfcfe3f29896b01a7da8ff770d29d832
-
Filesize
240KB
MD5009e87e41bc39123483e59c1dea50597
SHA16915fa46289c5fe698d3feae81078bb59389a294
SHA256838363715b47fdfaba56ea4f1eafcedbc682193700525097334138b497c89254
SHA5122a7b2754ad8ccffc4f26be1168ee9261028af66d28a7fb0fd11e4ce7509d8dbad9fbd4fc5f55e621aba4b4ac9b64b58abfcfe3f29896b01a7da8ff770d29d832
-
Filesize
177KB
MD597f85d70540d4eb6633fae5416a54314
SHA1399086279f63ea14e71131e5b080003fda886c0a
SHA2564e15916244c5fd15f06e4a1e932613678f03cd7081c7fcefe6f186cf3cec69fe
SHA51213523329bc45d8805800dfcea3e55e373c7e028479bf198e0d796ad052e61c41e0f3aeeedade3efb67885df9f3066e01c4154bda3994e8ccfbe07aef4b44976a
-
Filesize
177KB
MD597f85d70540d4eb6633fae5416a54314
SHA1399086279f63ea14e71131e5b080003fda886c0a
SHA2564e15916244c5fd15f06e4a1e932613678f03cd7081c7fcefe6f186cf3cec69fe
SHA51213523329bc45d8805800dfcea3e55e373c7e028479bf198e0d796ad052e61c41e0f3aeeedade3efb67885df9f3066e01c4154bda3994e8ccfbe07aef4b44976a
-
Filesize
1.2MB
MD5b168cbc8518e38a6876e47d1c591981f
SHA1bfa2f5f25ba660cc77ed33957130f6df0923872c
SHA256fec10853bc0e9d3f79a27f694af121b6f1d57a4d4767e8d124bd45038c2cc17d
SHA512df57e626bfaf56a349473b8b66b3c8b3cac0d58d70e87b5e45bc888994017868a17267efca7ea2cde86b97f6c77fba12fa6fc3e86e25f0fdadf8f9f2c253d534
-
Filesize
1.2MB
MD5b168cbc8518e38a6876e47d1c591981f
SHA1bfa2f5f25ba660cc77ed33957130f6df0923872c
SHA256fec10853bc0e9d3f79a27f694af121b6f1d57a4d4767e8d124bd45038c2cc17d
SHA512df57e626bfaf56a349473b8b66b3c8b3cac0d58d70e87b5e45bc888994017868a17267efca7ea2cde86b97f6c77fba12fa6fc3e86e25f0fdadf8f9f2c253d534
-
Filesize
240KB
MD5009e87e41bc39123483e59c1dea50597
SHA16915fa46289c5fe698d3feae81078bb59389a294
SHA256838363715b47fdfaba56ea4f1eafcedbc682193700525097334138b497c89254
SHA5122a7b2754ad8ccffc4f26be1168ee9261028af66d28a7fb0fd11e4ce7509d8dbad9fbd4fc5f55e621aba4b4ac9b64b58abfcfe3f29896b01a7da8ff770d29d832
-
Filesize
240KB
MD5009e87e41bc39123483e59c1dea50597
SHA16915fa46289c5fe698d3feae81078bb59389a294
SHA256838363715b47fdfaba56ea4f1eafcedbc682193700525097334138b497c89254
SHA5122a7b2754ad8ccffc4f26be1168ee9261028af66d28a7fb0fd11e4ce7509d8dbad9fbd4fc5f55e621aba4b4ac9b64b58abfcfe3f29896b01a7da8ff770d29d832
-
Filesize
996KB
MD526e148d4969a514924cf9dc993472bb7
SHA10ab1aa0138f8999c43549ae7d07e0a70878bfbdf
SHA2569572dd7a9869e3b9d107a7e0eec84ce810b722dba8233981854cd9d61e1585ec
SHA51254c5859f83d188dc213476e0ee5ecd397e1e842c0da83083c337bf6b42bec7dee976241ca581d24ccfe045f7fc0f9e742c1d8f53b3e6131cb28af8b11a269002
-
Filesize
996KB
MD526e148d4969a514924cf9dc993472bb7
SHA10ab1aa0138f8999c43549ae7d07e0a70878bfbdf
SHA2569572dd7a9869e3b9d107a7e0eec84ce810b722dba8233981854cd9d61e1585ec
SHA51254c5859f83d188dc213476e0ee5ecd397e1e842c0da83083c337bf6b42bec7dee976241ca581d24ccfe045f7fc0f9e742c1d8f53b3e6131cb28af8b11a269002
-
Filesize
17KB
MD5916d30a64d22a10816eaa7c201218add
SHA19749eae262e34a4bd84edb5fa01d606d09f2e662
SHA256a85f0aeaae04459db2f7269135b49bb32714d2f2c235f4a92da975b809eca7d5
SHA512fa2fa30f1a17112fcf31ffa67b60007f61ea5c8e5c7c51978cb4ecef12390c67b9a0fc9cacc8298570379c00c9295d8b93d41c0a5a798b14a8b4583aca2b8c32
-
Filesize
17KB
MD5916d30a64d22a10816eaa7c201218add
SHA19749eae262e34a4bd84edb5fa01d606d09f2e662
SHA256a85f0aeaae04459db2f7269135b49bb32714d2f2c235f4a92da975b809eca7d5
SHA512fa2fa30f1a17112fcf31ffa67b60007f61ea5c8e5c7c51978cb4ecef12390c67b9a0fc9cacc8298570379c00c9295d8b93d41c0a5a798b14a8b4583aca2b8c32
-
Filesize
893KB
MD5980d0ba404d4dd25df91abb11218a23c
SHA1b3b4b93c1f73a70c54c8f6513978d2a2bd2dfe15
SHA256d5dffc4557e79d7d3759e1cde0e4f5de60dfaa5608775f167a9d6c83ec7fe7e6
SHA512ecaeb91f298b48753bf803ef84ab8772a4aecdf547d8fdd7c9d2e0b448ff1e0a2b21e7eeae4e20413102df847dda2508069ffd9c32ba78fe965bac82d5dccb93
-
Filesize
893KB
MD5980d0ba404d4dd25df91abb11218a23c
SHA1b3b4b93c1f73a70c54c8f6513978d2a2bd2dfe15
SHA256d5dffc4557e79d7d3759e1cde0e4f5de60dfaa5608775f167a9d6c83ec7fe7e6
SHA512ecaeb91f298b48753bf803ef84ab8772a4aecdf547d8fdd7c9d2e0b448ff1e0a2b21e7eeae4e20413102df847dda2508069ffd9c32ba78fe965bac82d5dccb93
-
Filesize
304KB
MD5bc94778948460579a0739b42d8018118
SHA1f960e87471a354673dc63408a7cfd07052a18561
SHA256164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b
SHA512ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b
-
Filesize
304KB
MD5bc94778948460579a0739b42d8018118
SHA1f960e87471a354673dc63408a7cfd07052a18561
SHA256164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b
SHA512ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b
-
Filesize
667KB
MD5fabb72a75035bab0a76d37de38617ad5
SHA12d27a5529732bbbd0a104cffb35e887a5049522b
SHA256b027e2fbf661134e2a09372b30234b79e5b1810da4a0ef2cb51c77972b4be63a
SHA5128f695923ff3a461ec98d9e49a843fb19babcfdbb0e4f1cd8758ee66c604c727aad67bd59d62b73d290c990bd5a98fff694ada5bb5bb5f08dfdcf4fb499749dde
-
Filesize
667KB
MD5fabb72a75035bab0a76d37de38617ad5
SHA12d27a5529732bbbd0a104cffb35e887a5049522b
SHA256b027e2fbf661134e2a09372b30234b79e5b1810da4a0ef2cb51c77972b4be63a
SHA5128f695923ff3a461ec98d9e49a843fb19babcfdbb0e4f1cd8758ee66c604c727aad67bd59d62b73d290c990bd5a98fff694ada5bb5bb5f08dfdcf4fb499749dde
-
Filesize
246KB
MD51b00aa290c5f57aca9420b25512997ac
SHA1755c6719b2ccaad2292189a34e2250a0a4f098ca
SHA256c8a94b411835cc43efcb2f22680bcd8523065dc9886a406508b6d362c5be8b4a
SHA51293af0e601c6930507a3904b4042bb9c0a175ae71c752b5785622ff72a1d5f58e2b82e867ac750f4ba7b9ba6582443e2b217f799f6787fcbb4c9bfac4f731922d
-
Filesize
246KB
MD51b00aa290c5f57aca9420b25512997ac
SHA1755c6719b2ccaad2292189a34e2250a0a4f098ca
SHA256c8a94b411835cc43efcb2f22680bcd8523065dc9886a406508b6d362c5be8b4a
SHA51293af0e601c6930507a3904b4042bb9c0a175ae71c752b5785622ff72a1d5f58e2b82e867ac750f4ba7b9ba6582443e2b217f799f6787fcbb4c9bfac4f731922d
-
Filesize
392KB
MD506682067d3cecf7b9e14da3f4c26c319
SHA1cf03dab4b193c6454803abb8c79a45930fd48611
SHA256faeff35041e80d6636d682ee0ce5709053dc59efa382dabdb47c5c5b74f19d11
SHA5124a5ce5bd1fd77249005314b4a4645f9b5427c5772037ca3ed8c32c36831428fa6cb8e2cc51e7a47fea70d0d5cfda56ca4211c7740bdd2ce404266b4b0bb60c05
-
Filesize
392KB
MD506682067d3cecf7b9e14da3f4c26c319
SHA1cf03dab4b193c6454803abb8c79a45930fd48611
SHA256faeff35041e80d6636d682ee0ce5709053dc59efa382dabdb47c5c5b74f19d11
SHA5124a5ce5bd1fd77249005314b4a4645f9b5427c5772037ca3ed8c32c36831428fa6cb8e2cc51e7a47fea70d0d5cfda56ca4211c7740bdd2ce404266b4b0bb60c05
-
Filesize
17KB
MD58ec4aba9e3b0f7d50cdcb3fb1cb16f17
SHA1a256624d1468d6a526140fda894191c2de7e18f9
SHA25654ea074fb1e8c65abc8111c76abeb2e9d2270dbc455083a11acb8536d0c3bc84
SHA5120d61fe83968956cf1c00c19df91b67a8ecf6063e63c49fe533618ad3abd069e268844c5baa6b10089f20d6efdbb379349d3f17bc96b94ec84c7b54b9987bfdb7
-
Filesize
17KB
MD58ec4aba9e3b0f7d50cdcb3fb1cb16f17
SHA1a256624d1468d6a526140fda894191c2de7e18f9
SHA25654ea074fb1e8c65abc8111c76abeb2e9d2270dbc455083a11acb8536d0c3bc84
SHA5120d61fe83968956cf1c00c19df91b67a8ecf6063e63c49fe533618ad3abd069e268844c5baa6b10089f20d6efdbb379349d3f17bc96b94ec84c7b54b9987bfdb7
-
Filesize
17KB
MD58ec4aba9e3b0f7d50cdcb3fb1cb16f17
SHA1a256624d1468d6a526140fda894191c2de7e18f9
SHA25654ea074fb1e8c65abc8111c76abeb2e9d2270dbc455083a11acb8536d0c3bc84
SHA5120d61fe83968956cf1c00c19df91b67a8ecf6063e63c49fe533618ad3abd069e268844c5baa6b10089f20d6efdbb379349d3f17bc96b94ec84c7b54b9987bfdb7
-
Filesize
304KB
MD5bc94778948460579a0739b42d8018118
SHA1f960e87471a354673dc63408a7cfd07052a18561
SHA256164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b
SHA512ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b
-
Filesize
304KB
MD5bc94778948460579a0739b42d8018118
SHA1f960e87471a354673dc63408a7cfd07052a18561
SHA256164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b
SHA512ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b
-
Filesize
304KB
MD5bc94778948460579a0739b42d8018118
SHA1f960e87471a354673dc63408a7cfd07052a18561
SHA256164e02a2c9318020d3b3db0e977aadf0890dd6ad139cfcd07195e62578f44d8b
SHA512ff267c27af132c2ce96ca075011a96596d045f771c3439d72b1ea1f567fe585f139b0e7dc8f5c97d340209f478d7e9cad374fc0497345998702f06e234ca657b
-
Filesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
Filesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
Filesize
89KB
MD5937b902b8ad05afb922313d2341143f4
SHA1b48d5579e01000cdb3c3ef4e1ad1b97d2056a8b1
SHA256f0f0e7ab301101e6473f1dbcadd2272468af036195685c0ae51c9d90c40f0849
SHA51291f67248e47b2fced9ff802370ced4e0de675d06e7ef32acd40a479fecfe8b912dfb2abf76cb8b391f471d8dd134b5f041186541a8038ef84219c852f31f37ff
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5