Analysis
-
max time kernel
146s -
max time network
119s -
platform
windows10-1703_x64 -
resource
win10-20230220-en -
resource tags
arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system -
submitted
02-03-2023 05:51
Static task
static1
General
-
Target
d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe
-
Size
1.3MB
-
MD5
d2471317f2a91ba198d3bce8500ab895
-
SHA1
85de5c6f1166dbbe8b3e4cf130fe698c48e8b4c9
-
SHA256
d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650
-
SHA512
f870bea584f7704790c753b390a334bda00fdfda940ecf2b7b7f305275add51735d7cc65e99ad157473db7d39405a594bad8d0bf2bb356a944a53ad6a3459cb0
-
SSDEEP
24576:1yOI4c8Twqz0ZwKgmQTNYOY0xMS5EC/I3tGPd/V+iqjODPkY8qBY7:QOI4z0s0am8YRkE8dI4hB
Malware Config
Extracted
redline
rouch
193.56.146.11:4162
-
auth_value
1b1735bcfc122c708eae27ca352568de
Extracted
amadey
3.67
193.233.20.14/BR54nmB3/index.php
Extracted
redline
fuba
193.56.146.11:4162
-
auth_value
43015841fc23c63b15ca6ffe1d278d5e
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" berj60FG67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" berj60FG67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" dsfG92Sb16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" dsfG92Sb16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" gndL49lk29.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" berj60FG67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" berj60FG67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" dsfG92Sb16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" gndL49lk29.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" gndL49lk29.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" gndL49lk29.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" berj60FG67.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" dsfG92Sb16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" dsfG92Sb16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" gndL49lk29.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 35 IoCs
resource yara_rule behavioral1/memory/1060-168-0x0000000004890000-0x00000000048D6000-memory.dmp family_redline behavioral1/memory/1060-170-0x0000000007150000-0x0000000007194000-memory.dmp family_redline behavioral1/memory/1060-175-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-176-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-178-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-180-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-182-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-184-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-186-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-188-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-190-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-192-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-194-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-196-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-198-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-200-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-202-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-204-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-206-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-208-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-210-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-212-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-214-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-216-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-218-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-220-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-222-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-224-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-226-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-228-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-230-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-232-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-234-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-236-0x0000000007150000-0x000000000718E000-memory.dmp family_redline behavioral1/memory/1060-238-0x0000000007150000-0x000000000718E000-memory.dmp family_redline -
Executes dropped EXE 15 IoCs
pid Process 4452 ptMM5895fA.exe 4824 ptHn4175BI.exe 2244 ptLe5581Ru.exe 4312 ptTm6748HI.exe 5116 ptcY0208kc.exe 3856 berj60FG67.exe 1060 cuFL67PV66.exe 2648 dsfG92Sb16.exe 4668 fr66fn3457De.exe 508 gndL49lk29.exe 660 hk87pR74tA27.exe 5032 mnolyk.exe 768 jxHw21wQ37.exe 164 mnolyk.exe 364 mnolyk.exe -
Loads dropped DLL 1 IoCs
pid Process 2080 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" berj60FG67.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features dsfG92Sb16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0" dsfG92Sb16.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" gndL49lk29.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptTm6748HI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" ptTm6748HI.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptcY0208kc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptMM5895fA.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" ptHn4175BI.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptLe5581Ru.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" ptLe5581Ru.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ptMM5895fA.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ptHn4175BI.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\"" ptcY0208kc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1212 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3856 berj60FG67.exe 3856 berj60FG67.exe 1060 cuFL67PV66.exe 1060 cuFL67PV66.exe 2648 dsfG92Sb16.exe 2648 dsfG92Sb16.exe 4668 fr66fn3457De.exe 4668 fr66fn3457De.exe 508 gndL49lk29.exe 508 gndL49lk29.exe 768 jxHw21wQ37.exe 768 jxHw21wQ37.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 3856 berj60FG67.exe Token: SeDebugPrivilege 1060 cuFL67PV66.exe Token: SeDebugPrivilege 2648 dsfG92Sb16.exe Token: SeDebugPrivilege 4668 fr66fn3457De.exe Token: SeDebugPrivilege 508 gndL49lk29.exe Token: SeDebugPrivilege 768 jxHw21wQ37.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3532 wrote to memory of 4452 3532 d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe 66 PID 3532 wrote to memory of 4452 3532 d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe 66 PID 3532 wrote to memory of 4452 3532 d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe 66 PID 4452 wrote to memory of 4824 4452 ptMM5895fA.exe 67 PID 4452 wrote to memory of 4824 4452 ptMM5895fA.exe 67 PID 4452 wrote to memory of 4824 4452 ptMM5895fA.exe 67 PID 4824 wrote to memory of 2244 4824 ptHn4175BI.exe 68 PID 4824 wrote to memory of 2244 4824 ptHn4175BI.exe 68 PID 4824 wrote to memory of 2244 4824 ptHn4175BI.exe 68 PID 2244 wrote to memory of 4312 2244 ptLe5581Ru.exe 69 PID 2244 wrote to memory of 4312 2244 ptLe5581Ru.exe 69 PID 2244 wrote to memory of 4312 2244 ptLe5581Ru.exe 69 PID 4312 wrote to memory of 5116 4312 ptTm6748HI.exe 70 PID 4312 wrote to memory of 5116 4312 ptTm6748HI.exe 70 PID 4312 wrote to memory of 5116 4312 ptTm6748HI.exe 70 PID 5116 wrote to memory of 3856 5116 ptcY0208kc.exe 71 PID 5116 wrote to memory of 3856 5116 ptcY0208kc.exe 71 PID 5116 wrote to memory of 1060 5116 ptcY0208kc.exe 72 PID 5116 wrote to memory of 1060 5116 ptcY0208kc.exe 72 PID 5116 wrote to memory of 1060 5116 ptcY0208kc.exe 72 PID 4312 wrote to memory of 2648 4312 ptTm6748HI.exe 74 PID 4312 wrote to memory of 2648 4312 ptTm6748HI.exe 74 PID 4312 wrote to memory of 2648 4312 ptTm6748HI.exe 74 PID 2244 wrote to memory of 4668 2244 ptLe5581Ru.exe 75 PID 2244 wrote to memory of 4668 2244 ptLe5581Ru.exe 75 PID 2244 wrote to memory of 4668 2244 ptLe5581Ru.exe 75 PID 4824 wrote to memory of 508 4824 ptHn4175BI.exe 76 PID 4824 wrote to memory of 508 4824 ptHn4175BI.exe 76 PID 4452 wrote to memory of 660 4452 ptMM5895fA.exe 77 PID 4452 wrote to memory of 660 4452 ptMM5895fA.exe 77 PID 4452 wrote to memory of 660 4452 ptMM5895fA.exe 77 PID 660 wrote to memory of 5032 660 hk87pR74tA27.exe 78 PID 660 wrote to memory of 5032 660 hk87pR74tA27.exe 78 PID 660 wrote to memory of 5032 660 hk87pR74tA27.exe 78 PID 3532 wrote to memory of 768 3532 d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe 79 PID 3532 wrote to memory of 768 3532 d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe 79 PID 3532 wrote to memory of 768 3532 d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe 79 PID 5032 wrote to memory of 1212 5032 mnolyk.exe 80 PID 5032 wrote to memory of 1212 5032 mnolyk.exe 80 PID 5032 wrote to memory of 1212 5032 mnolyk.exe 80 PID 5032 wrote to memory of 1472 5032 mnolyk.exe 81 PID 5032 wrote to memory of 1472 5032 mnolyk.exe 81 PID 5032 wrote to memory of 1472 5032 mnolyk.exe 81 PID 1472 wrote to memory of 1240 1472 cmd.exe 84 PID 1472 wrote to memory of 1240 1472 cmd.exe 84 PID 1472 wrote to memory of 1240 1472 cmd.exe 84 PID 1472 wrote to memory of 1184 1472 cmd.exe 85 PID 1472 wrote to memory of 1184 1472 cmd.exe 85 PID 1472 wrote to memory of 1184 1472 cmd.exe 85 PID 1472 wrote to memory of 2340 1472 cmd.exe 86 PID 1472 wrote to memory of 2340 1472 cmd.exe 86 PID 1472 wrote to memory of 2340 1472 cmd.exe 86 PID 1472 wrote to memory of 2344 1472 cmd.exe 87 PID 1472 wrote to memory of 2344 1472 cmd.exe 87 PID 1472 wrote to memory of 2344 1472 cmd.exe 87 PID 1472 wrote to memory of 5072 1472 cmd.exe 88 PID 1472 wrote to memory of 5072 1472 cmd.exe 88 PID 1472 wrote to memory of 5072 1472 cmd.exe 88 PID 1472 wrote to memory of 372 1472 cmd.exe 89 PID 1472 wrote to memory of 372 1472 cmd.exe 89 PID 1472 wrote to memory of 372 1472 cmd.exe 89 PID 5032 wrote to memory of 2080 5032 mnolyk.exe 91 PID 5032 wrote to memory of 2080 5032 mnolyk.exe 91 PID 5032 wrote to memory of 2080 5032 mnolyk.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe"C:\Users\Admin\AppData\Local\Temp\d3a28e6f0484ed8cd83df1772378721e09901475592fa1fc01062e60a7c30650.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptMM5895fA.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ptMM5895fA.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4452 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptHn4175BI.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ptHn4175BI.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4824 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptLe5581Ru.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ptLe5581Ru.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptTm6748HI.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\ptTm6748HI.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptcY0208kc.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\ptcY0208kc.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\berj60FG67.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\berj60FG67.exe7⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3856
-
-
C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuFL67PV66.exeC:\Users\Admin\AppData\Local\Temp\IXP005.TMP\cuFL67PV66.exe7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1060
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dsfG92Sb16.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\dsfG92Sb16.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fr66fn3457De.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\fr66fn3457De.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gndL49lk29.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\gndL49lk29.exe4⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:508
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk87pR74tA27.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\hk87pR74tA27.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe"C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe"4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN mnolyk.exe /TR "C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe" /F5⤵
- Creates scheduled task(s)
PID:1212
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "mnolyk.exe" /P "Admin:N"&&CACLS "mnolyk.exe" /P "Admin:R" /E&&echo Y|CACLS "..\465af4af92" /P "Admin:N"&&CACLS "..\465af4af92" /P "Admin:R" /E&&Exit5⤵
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:1240
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:N"6⤵PID:1184
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "mnolyk.exe" /P "Admin:R" /E6⤵PID:2340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:2344
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\465af4af92" /P "Admin:N"6⤵PID:5072
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\465af4af92" /P "Admin:R" /E6⤵PID:372
-
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\c1ec479e5342a2\clip64.dll, Main5⤵
- Loads dropped DLL
PID:2080
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxHw21wQ37.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jxHw21wQ37.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:768
-
-
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe1⤵
- Executes dropped EXE
PID:164
-
C:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exeC:\Users\Admin\AppData\Local\Temp\465af4af92\mnolyk.exe1⤵
- Executes dropped EXE
PID:364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239KB
MD52245de96c5eb1c625bde6e018ffc9839
SHA1b141f8c1ff2f838d0e2c17479c90d61747db9c47
SHA256a133863e4ff1667006cd5d3d0fac8393146c0931f718c2f7d0090919e8444709
SHA512dbf580f3b5b6c1ce419a7d605f7c422ddb82e1e046031fa56286d54db759c391791b648cd3e16758e22d902bcc1ab9458be17a76d04a732cc13e4f56ecf92d77
-
Filesize
239KB
MD52245de96c5eb1c625bde6e018ffc9839
SHA1b141f8c1ff2f838d0e2c17479c90d61747db9c47
SHA256a133863e4ff1667006cd5d3d0fac8393146c0931f718c2f7d0090919e8444709
SHA512dbf580f3b5b6c1ce419a7d605f7c422ddb82e1e046031fa56286d54db759c391791b648cd3e16758e22d902bcc1ab9458be17a76d04a732cc13e4f56ecf92d77
-
Filesize
239KB
MD52245de96c5eb1c625bde6e018ffc9839
SHA1b141f8c1ff2f838d0e2c17479c90d61747db9c47
SHA256a133863e4ff1667006cd5d3d0fac8393146c0931f718c2f7d0090919e8444709
SHA512dbf580f3b5b6c1ce419a7d605f7c422ddb82e1e046031fa56286d54db759c391791b648cd3e16758e22d902bcc1ab9458be17a76d04a732cc13e4f56ecf92d77
-
Filesize
239KB
MD52245de96c5eb1c625bde6e018ffc9839
SHA1b141f8c1ff2f838d0e2c17479c90d61747db9c47
SHA256a133863e4ff1667006cd5d3d0fac8393146c0931f718c2f7d0090919e8444709
SHA512dbf580f3b5b6c1ce419a7d605f7c422ddb82e1e046031fa56286d54db759c391791b648cd3e16758e22d902bcc1ab9458be17a76d04a732cc13e4f56ecf92d77
-
Filesize
239KB
MD52245de96c5eb1c625bde6e018ffc9839
SHA1b141f8c1ff2f838d0e2c17479c90d61747db9c47
SHA256a133863e4ff1667006cd5d3d0fac8393146c0931f718c2f7d0090919e8444709
SHA512dbf580f3b5b6c1ce419a7d605f7c422ddb82e1e046031fa56286d54db759c391791b648cd3e16758e22d902bcc1ab9458be17a76d04a732cc13e4f56ecf92d77
-
Filesize
175KB
MD563f2f4d0d6d3f4c1df77cf3f2429c39d
SHA13fd22a235dd9739d96c4dea8e3d499e1f7d1490e
SHA25661daaf57dce719050f367ffe169f9cfaf205053d2ffc237c835992de10c453f8
SHA512434106422e403c766da99019a4937208d566cff3213ea4e745b3967de51d5e0c54ec428036d4ba88fd5da8612a638179cbbb173ec9908f350859dc0cf3cfc61d
-
Filesize
175KB
MD563f2f4d0d6d3f4c1df77cf3f2429c39d
SHA13fd22a235dd9739d96c4dea8e3d499e1f7d1490e
SHA25661daaf57dce719050f367ffe169f9cfaf205053d2ffc237c835992de10c453f8
SHA512434106422e403c766da99019a4937208d566cff3213ea4e745b3967de51d5e0c54ec428036d4ba88fd5da8612a638179cbbb173ec9908f350859dc0cf3cfc61d
-
Filesize
1.2MB
MD5d760eb01f07f77c42ea13fed121ebe24
SHA14383c32ccb5dd16115596dc355db038b99f57327
SHA2560c152b1b729fb47e16f9b584685ed81be2cd261dfa44e04a2ddc16139acffacf
SHA512831ae3dcb2f863d04118ffbff35c1ac607704cc8a28512bdc08b7d0eec50a49db7be6c0a15d919e13678c3d57862940eadb618d3570d72ac6275b4a6b10e1571
-
Filesize
1.2MB
MD5d760eb01f07f77c42ea13fed121ebe24
SHA14383c32ccb5dd16115596dc355db038b99f57327
SHA2560c152b1b729fb47e16f9b584685ed81be2cd261dfa44e04a2ddc16139acffacf
SHA512831ae3dcb2f863d04118ffbff35c1ac607704cc8a28512bdc08b7d0eec50a49db7be6c0a15d919e13678c3d57862940eadb618d3570d72ac6275b4a6b10e1571
-
Filesize
239KB
MD52245de96c5eb1c625bde6e018ffc9839
SHA1b141f8c1ff2f838d0e2c17479c90d61747db9c47
SHA256a133863e4ff1667006cd5d3d0fac8393146c0931f718c2f7d0090919e8444709
SHA512dbf580f3b5b6c1ce419a7d605f7c422ddb82e1e046031fa56286d54db759c391791b648cd3e16758e22d902bcc1ab9458be17a76d04a732cc13e4f56ecf92d77
-
Filesize
239KB
MD52245de96c5eb1c625bde6e018ffc9839
SHA1b141f8c1ff2f838d0e2c17479c90d61747db9c47
SHA256a133863e4ff1667006cd5d3d0fac8393146c0931f718c2f7d0090919e8444709
SHA512dbf580f3b5b6c1ce419a7d605f7c422ddb82e1e046031fa56286d54db759c391791b648cd3e16758e22d902bcc1ab9458be17a76d04a732cc13e4f56ecf92d77
-
Filesize
1021KB
MD5c213642df417eae30f43e2195be07c23
SHA1587e8b3ee3c4ff037db9b60bf0a4cdbb89a3bdb7
SHA256022f2106a320b2519c14d4734df687dbab92e5bbb2935575049d05adb9c0e1bc
SHA5121ab7ae014700fac72982735d74900d3d1df15cb3310a1d1c656563a0d46fe0d4b6a58e84c67a0b4656d2da9621a4168cedf74c74a3a02bc0385fd1132436ff3f
-
Filesize
1021KB
MD5c213642df417eae30f43e2195be07c23
SHA1587e8b3ee3c4ff037db9b60bf0a4cdbb89a3bdb7
SHA256022f2106a320b2519c14d4734df687dbab92e5bbb2935575049d05adb9c0e1bc
SHA5121ab7ae014700fac72982735d74900d3d1df15cb3310a1d1c656563a0d46fe0d4b6a58e84c67a0b4656d2da9621a4168cedf74c74a3a02bc0385fd1132436ff3f
-
Filesize
12KB
MD53ba92b8b86daadad96af09d070c3df9b
SHA13a5a37b084953ef4084a8be709ca851aa69fae64
SHA256566058cf52fc3e8dd477ab572e1dd17863c2022f2fc6f1002feda94940812752
SHA512698f287949a039e4c1995a0710efe5d4e3222688efab874661834c3ef845bbd3be1e632853cc8415083d6b7f3088a67c24e20c00d5d32f9c7956714113355823
-
Filesize
12KB
MD53ba92b8b86daadad96af09d070c3df9b
SHA13a5a37b084953ef4084a8be709ca851aa69fae64
SHA256566058cf52fc3e8dd477ab572e1dd17863c2022f2fc6f1002feda94940812752
SHA512698f287949a039e4c1995a0710efe5d4e3222688efab874661834c3ef845bbd3be1e632853cc8415083d6b7f3088a67c24e20c00d5d32f9c7956714113355823
-
Filesize
919KB
MD51ec0038a93d58b063e873705dc1d1430
SHA198af16e01f3f015ec1c6ccbac3d6e969c1ef7f8d
SHA2564ad840509e5f4cf5743cf5c8c1d90f36e9f0b1cb9ab74ca8fa5fd96ca5261184
SHA51277252b6b3020fcb8e473870d02a96a445eb8d9abd6c8c3eb5b95e22c97174f8b9a53431de7a2fff37d5486851fdbe364bf64ab79517283a67f05ea8769c8ebd3
-
Filesize
919KB
MD51ec0038a93d58b063e873705dc1d1430
SHA198af16e01f3f015ec1c6ccbac3d6e969c1ef7f8d
SHA2564ad840509e5f4cf5743cf5c8c1d90f36e9f0b1cb9ab74ca8fa5fd96ca5261184
SHA51277252b6b3020fcb8e473870d02a96a445eb8d9abd6c8c3eb5b95e22c97174f8b9a53431de7a2fff37d5486851fdbe364bf64ab79517283a67f05ea8769c8ebd3
-
Filesize
381KB
MD557b4e73c1d36751cb60a4d2e68594087
SHA10e371eaad20ebbb81735876f0f1703adee193117
SHA25639f6bf6cf9f7bfba26380635a4b052c5de0e1688c92bacc10411dad74886dd25
SHA512e5e81ce16ccd679b95cde5e1db79b62fe878d8c5e27d217bf0605433f47626261756b6b7da870333233023b1e8ea30af07af395b9078a7dd1c72834c254e279c
-
Filesize
381KB
MD557b4e73c1d36751cb60a4d2e68594087
SHA10e371eaad20ebbb81735876f0f1703adee193117
SHA25639f6bf6cf9f7bfba26380635a4b052c5de0e1688c92bacc10411dad74886dd25
SHA512e5e81ce16ccd679b95cde5e1db79b62fe878d8c5e27d217bf0605433f47626261756b6b7da870333233023b1e8ea30af07af395b9078a7dd1c72834c254e279c
-
Filesize
692KB
MD5a0625c264b493199d99aab85b7f6fcf0
SHA1f42ea0b9bcc91209fad82dda713ef6a2630a9476
SHA2565553f1c9e7e13b97d920d59b5fdf672b3b01a074d92256ce032380fbe23438d4
SHA5120a54999c18c65ca8fd117c693187ff3115c3b789984bfce11b02eefd6b59f0e3e8923601e2c53b65a81eae97689fb6230d5ac32bbb21827dc07f673cb75a4556
-
Filesize
692KB
MD5a0625c264b493199d99aab85b7f6fcf0
SHA1f42ea0b9bcc91209fad82dda713ef6a2630a9476
SHA2565553f1c9e7e13b97d920d59b5fdf672b3b01a074d92256ce032380fbe23438d4
SHA5120a54999c18c65ca8fd117c693187ff3115c3b789984bfce11b02eefd6b59f0e3e8923601e2c53b65a81eae97689fb6230d5ac32bbb21827dc07f673cb75a4556
-
Filesize
323KB
MD53f33c6c8759069f165f07180a32abf2e
SHA1a85dadf12b28a19928e42a81b66f6858fe07b4b2
SHA2568e20b7bce03582ff47bb369c0694190ba21061b9ba3c10fb4cd1b899277fd0ba
SHA512fa9cea89d7109d901b75ae6c8aff17a70e63bae4c9c4764ba569562fc338bbccb04092ccbe22bd8c24a4f9fcaa9c99f0fedb13717314e19ed5bd5dea457ee148
-
Filesize
323KB
MD53f33c6c8759069f165f07180a32abf2e
SHA1a85dadf12b28a19928e42a81b66f6858fe07b4b2
SHA2568e20b7bce03582ff47bb369c0694190ba21061b9ba3c10fb4cd1b899277fd0ba
SHA512fa9cea89d7109d901b75ae6c8aff17a70e63bae4c9c4764ba569562fc338bbccb04092ccbe22bd8c24a4f9fcaa9c99f0fedb13717314e19ed5bd5dea457ee148
-
Filesize
404KB
MD5e1648f7012c62f235ea8ef587f508b18
SHA1736d62367e6a08b6adbc689385b048fc06d232e9
SHA256eeefd36eb34073cc4820fc5e487cded55032f6246f968bca9224e84244d398b4
SHA512925cf3c3ce13a3a0c376c0c5cab4c4113f039ddbe7214496e82fc72683f28fd2c2649c7b3ef0e244109b3467ee1ab7ebe5a08369bce6563bdf73133d0e7f7330
-
Filesize
404KB
MD5e1648f7012c62f235ea8ef587f508b18
SHA1736d62367e6a08b6adbc689385b048fc06d232e9
SHA256eeefd36eb34073cc4820fc5e487cded55032f6246f968bca9224e84244d398b4
SHA512925cf3c3ce13a3a0c376c0c5cab4c4113f039ddbe7214496e82fc72683f28fd2c2649c7b3ef0e244109b3467ee1ab7ebe5a08369bce6563bdf73133d0e7f7330
-
Filesize
12KB
MD50a3b99cecacf8a8da8bdfe454542318f
SHA19f9609c9bcef3897cd5c000da8407e5aaca25f36
SHA2563191b9a3c7593a1cd212e35dff7b0b03c0c7ba8ec3b52eafe220c45f022e1bca
SHA51282deb268584e41c288533b326949665a866792e17fb2b3df1a926f69a27ad74f888d63c161494041584cf6e16cfc49502162e1854df1356e48a3c1cebc9553c1
-
Filesize
12KB
MD50a3b99cecacf8a8da8bdfe454542318f
SHA19f9609c9bcef3897cd5c000da8407e5aaca25f36
SHA2563191b9a3c7593a1cd212e35dff7b0b03c0c7ba8ec3b52eafe220c45f022e1bca
SHA51282deb268584e41c288533b326949665a866792e17fb2b3df1a926f69a27ad74f888d63c161494041584cf6e16cfc49502162e1854df1356e48a3c1cebc9553c1
-
Filesize
12KB
MD50a3b99cecacf8a8da8bdfe454542318f
SHA19f9609c9bcef3897cd5c000da8407e5aaca25f36
SHA2563191b9a3c7593a1cd212e35dff7b0b03c0c7ba8ec3b52eafe220c45f022e1bca
SHA51282deb268584e41c288533b326949665a866792e17fb2b3df1a926f69a27ad74f888d63c161494041584cf6e16cfc49502162e1854df1356e48a3c1cebc9553c1
-
Filesize
381KB
MD557b4e73c1d36751cb60a4d2e68594087
SHA10e371eaad20ebbb81735876f0f1703adee193117
SHA25639f6bf6cf9f7bfba26380635a4b052c5de0e1688c92bacc10411dad74886dd25
SHA512e5e81ce16ccd679b95cde5e1db79b62fe878d8c5e27d217bf0605433f47626261756b6b7da870333233023b1e8ea30af07af395b9078a7dd1c72834c254e279c
-
Filesize
381KB
MD557b4e73c1d36751cb60a4d2e68594087
SHA10e371eaad20ebbb81735876f0f1703adee193117
SHA25639f6bf6cf9f7bfba26380635a4b052c5de0e1688c92bacc10411dad74886dd25
SHA512e5e81ce16ccd679b95cde5e1db79b62fe878d8c5e27d217bf0605433f47626261756b6b7da870333233023b1e8ea30af07af395b9078a7dd1c72834c254e279c
-
Filesize
381KB
MD557b4e73c1d36751cb60a4d2e68594087
SHA10e371eaad20ebbb81735876f0f1703adee193117
SHA25639f6bf6cf9f7bfba26380635a4b052c5de0e1688c92bacc10411dad74886dd25
SHA512e5e81ce16ccd679b95cde5e1db79b62fe878d8c5e27d217bf0605433f47626261756b6b7da870333233023b1e8ea30af07af395b9078a7dd1c72834c254e279c
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78
-
Filesize
162B
MD51b7c22a214949975556626d7217e9a39
SHA1d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5
-
Filesize
89KB
MD5eff1ce4e3c7459a8061b91c5b55e0504
SHA1b790e43dae923d673aadf9e11a4f904a4c44a3f4
SHA256bfa2c6b2a0303482dd77f02dc34fa0df450f46debd87b8d6a8473ac7889b605a
SHA512d3ade314ad8f337d5117a3e0cec2eb7128936d97f09f496e1a0cb76b4e3204c30858ab4c6a2da9bd8fe776d32b7af38dc60d14b7c800d6f0ebb275132172cd78