redline | 1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe
Size

773KB
MD5

c9bb26b7ec51a35230da7c97894557bf
SHA1

4ecc52fb91981138fcbcae09ea7b4de38a39603b
SHA256

1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d
SHA512

42aca363d93454f1c84a752d025356ea929d57e539c50d015b65185fcfbf50ba3aa9a6d0a6cd99ed3b5a6c1b702c86731947783b15efd1004722061232990e8f
SSDEEP

24576:VyyI/7YG/XX9CSF+B9W5o1ehBcbNGhUm:wnTYG0S4nALXhU

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exea5016254.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5016254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5016254.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5016254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5016254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5016254.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5016254.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d1706829.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	d1706829.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v5995233.exev6467811.exev1797333.exea5016254.exeb6514669.exec8817236.exed1706829.exelamod.exee7964195.exelamod.exelamod.exe

pid	process
2972	v5995233.exe
1224	v6467811.exe
944	v1797333.exe
1116	a5016254.exe
892	b6514669.exe
348	c8817236.exe
1548	d1706829.exe
5068	lamod.exe
752	e7964195.exe
4300	lamod.exe
2660	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4572 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a5016254.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5016254.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4572	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5016254.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v6467811.exev1797333.exe1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exev5995233.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6467811.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1797333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1797333.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v5995233.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v5995233.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6467811.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b6514669.exee7964195.exe

description	pid	process	target process
PID 892 set thread context of 3184	892	b6514669.exe	AppLaunch.exe
PID 752 set thread context of 3588	752	e7964195.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2028 892 WerFault.exe b6514669.exe
2832 752 WerFault.exe e7964195.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5040 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a5016254.exeAppLaunch.exec8817236.exeAppLaunch.exe

pid process

1116 a5016254.exe
1116 a5016254.exe
3184 AppLaunch.exe
3184 AppLaunch.exe
348 c8817236.exe
348 c8817236.exe
3588 AppLaunch.exe
3588 AppLaunch.exe

pid	pid_target	process	target process
2028	892	WerFault.exe	b6514669.exe
2832	752	WerFault.exe	e7964195.exe

pid	process
5040	schtasks.exe

pid	process
1116	a5016254.exe
1116	a5016254.exe
3184	AppLaunch.exe
3184	AppLaunch.exe
348	c8817236.exe
348	c8817236.exe
3588	AppLaunch.exe
3588	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a5016254.exeAppLaunch.exec8817236.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1116	a5016254.exe
Token: SeDebugPrivilege	3184	AppLaunch.exe
Token: SeDebugPrivilege	348	c8817236.exe
Token: SeDebugPrivilege	3588	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d1706829.exe

pid process

1548 d1706829.exe

pid	process
1548	d1706829.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exev5995233.exev6467811.exev1797333.exeb6514669.exed1706829.exelamod.exee7964195.execmd.exe

description	pid	process	target process
PID 4424 wrote to memory of 2972	4424	1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe	v5995233.exe
PID 4424 wrote to memory of 2972	4424	1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe	v5995233.exe
PID 4424 wrote to memory of 2972	4424	1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe	v5995233.exe
PID 2972 wrote to memory of 1224	2972	v5995233.exe	v6467811.exe
PID 2972 wrote to memory of 1224	2972	v5995233.exe	v6467811.exe
PID 2972 wrote to memory of 1224	2972	v5995233.exe	v6467811.exe
PID 1224 wrote to memory of 944	1224	v6467811.exe	v1797333.exe
PID 1224 wrote to memory of 944	1224	v6467811.exe	v1797333.exe
PID 1224 wrote to memory of 944	1224	v6467811.exe	v1797333.exe
PID 944 wrote to memory of 1116	944	v1797333.exe	a5016254.exe
PID 944 wrote to memory of 1116	944	v1797333.exe	a5016254.exe
PID 944 wrote to memory of 892	944	v1797333.exe	b6514669.exe
PID 944 wrote to memory of 892	944	v1797333.exe	b6514669.exe
PID 944 wrote to memory of 892	944	v1797333.exe	b6514669.exe
PID 892 wrote to memory of 3184	892	b6514669.exe	AppLaunch.exe
PID 892 wrote to memory of 3184	892	b6514669.exe	AppLaunch.exe
PID 892 wrote to memory of 3184	892	b6514669.exe	AppLaunch.exe
PID 892 wrote to memory of 3184	892	b6514669.exe	AppLaunch.exe
PID 892 wrote to memory of 3184	892	b6514669.exe	AppLaunch.exe
PID 1224 wrote to memory of 348	1224	v6467811.exe	c8817236.exe
PID 1224 wrote to memory of 348	1224	v6467811.exe	c8817236.exe
PID 1224 wrote to memory of 348	1224	v6467811.exe	c8817236.exe
PID 2972 wrote to memory of 1548	2972	v5995233.exe	d1706829.exe
PID 2972 wrote to memory of 1548	2972	v5995233.exe	d1706829.exe
PID 2972 wrote to memory of 1548	2972	v5995233.exe	d1706829.exe
PID 1548 wrote to memory of 5068	1548	d1706829.exe	lamod.exe
PID 1548 wrote to memory of 5068	1548	d1706829.exe	lamod.exe
PID 1548 wrote to memory of 5068	1548	d1706829.exe	lamod.exe
PID 4424 wrote to memory of 752	4424	1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe	e7964195.exe
PID 4424 wrote to memory of 752	4424	1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe	e7964195.exe
PID 4424 wrote to memory of 752	4424	1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe	e7964195.exe
PID 5068 wrote to memory of 5040	5068	lamod.exe	schtasks.exe
PID 5068 wrote to memory of 5040	5068	lamod.exe	schtasks.exe
PID 5068 wrote to memory of 5040	5068	lamod.exe	schtasks.exe
PID 5068 wrote to memory of 3080	5068	lamod.exe	cmd.exe
PID 5068 wrote to memory of 3080	5068	lamod.exe	cmd.exe
PID 5068 wrote to memory of 3080	5068	lamod.exe	cmd.exe
PID 752 wrote to memory of 3588	752	e7964195.exe	AppLaunch.exe
PID 752 wrote to memory of 3588	752	e7964195.exe	AppLaunch.exe
PID 752 wrote to memory of 3588	752	e7964195.exe	AppLaunch.exe
PID 3080 wrote to memory of 3768	3080	cmd.exe	cmd.exe
PID 3080 wrote to memory of 3768	3080	cmd.exe	cmd.exe
PID 3080 wrote to memory of 3768	3080	cmd.exe	cmd.exe
PID 752 wrote to memory of 3588	752	e7964195.exe	AppLaunch.exe
PID 3080 wrote to memory of 4940	3080	cmd.exe	cacls.exe
PID 3080 wrote to memory of 4940	3080	cmd.exe	cacls.exe
PID 3080 wrote to memory of 4940	3080	cmd.exe	cacls.exe
PID 752 wrote to memory of 3588	752	e7964195.exe	AppLaunch.exe
PID 3080 wrote to memory of 5044	3080	cmd.exe	cacls.exe
PID 3080 wrote to memory of 5044	3080	cmd.exe	cacls.exe
PID 3080 wrote to memory of 5044	3080	cmd.exe	cacls.exe
PID 3080 wrote to memory of 2756	3080	cmd.exe	cmd.exe
PID 3080 wrote to memory of 2756	3080	cmd.exe	cmd.exe
PID 3080 wrote to memory of 2756	3080	cmd.exe	cmd.exe
PID 3080 wrote to memory of 1980	3080	cmd.exe	cacls.exe
PID 3080 wrote to memory of 1980	3080	cmd.exe	cacls.exe
PID 3080 wrote to memory of 1980	3080	cmd.exe	cacls.exe
PID 3080 wrote to memory of 2240	3080	cmd.exe	cacls.exe
PID 3080 wrote to memory of 2240	3080	cmd.exe	cacls.exe
PID 3080 wrote to memory of 2240	3080	cmd.exe	cacls.exe
PID 5068 wrote to memory of 4572	5068	lamod.exe	rundll32.exe
PID 5068 wrote to memory of 4572	5068	lamod.exe	rundll32.exe
PID 5068 wrote to memory of 4572	5068	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe
"C:\Users\Admin\AppData\Local\Temp\1a405826de288403139f9f65b4946105c4b4c5543decfe3c1814f4f869a6e06d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5995233.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5995233.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6467811.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6467811.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1224
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1797333.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1797333.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:944
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5016254.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5016254.exe
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        Windows security modification
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6514669.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6514669.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:892
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        6⤵
        Modifies Windows Defender Real-time Protection settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 892 -s 152
        6⤵
        Program crash
        
        PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8817236.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8817236.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:348
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1706829.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1706829.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
      "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
        5⤵
        Creates scheduled task(s)
        
        PID:5040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:3768
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "lamod.exe" /P "Admin:N"
        6⤵
        
        PID:4940
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "lamod.exe" /P "Admin:R" /E
        6⤵
        
        PID:5044
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        6⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\a9e2a16078" /P "Admin:N"
        6⤵
        
        PID:1980
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\a9e2a16078" /P "Admin:R" /E
        6⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
        5⤵
        Loads dropped DLL
        
        PID:4572
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7964195.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7964195.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 148
    3⤵
    - Program crash
    PID:2832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 892 -ip 892
1⤵
PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 752 -ip 752
1⤵
PID:484

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:2660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7964195.exe

Filesize
309KB

MD5
4f2d4ab8435d94da7784b46cf80a4c14

SHA1
3aabd790820327b5646a8848f6df8682021391ea

SHA256
7ff26300a20d82ca222f45246a79e728fab1bd464d1eb7e98221f94b78a62a4a

SHA512
9efc938e4ce85b66e0eb5a10beed215b12b73334487781eae22cb808910a84133709cf23361f08f23eae202f46842364703f06105bbd7d7a159bfd761b5b4d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7964195.exe

Filesize
309KB

MD5
4f2d4ab8435d94da7784b46cf80a4c14

SHA1
3aabd790820327b5646a8848f6df8682021391ea

SHA256
7ff26300a20d82ca222f45246a79e728fab1bd464d1eb7e98221f94b78a62a4a

SHA512
9efc938e4ce85b66e0eb5a10beed215b12b73334487781eae22cb808910a84133709cf23361f08f23eae202f46842364703f06105bbd7d7a159bfd761b5b4d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5995233.exe

Filesize
549KB

MD5
8897fb1f1c1bef662c9911eed99540b3

SHA1
b2047b4bfc6d10a1bbb44b84c36bcc5194309f65

SHA256
1a531b5337cca3c02de288a5765f9841069aeaad371612178b0eeb07ea033bb4

SHA512
e82c6dbd7cffc7599f9bda80a748fe0f3690830b4733e7c6d532fd8acbe2d3fc1e4f45b55ed82f16f5f0633219457c3b041f8a468caa771e52237a9cb74d6329

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v5995233.exe

Filesize
549KB

MD5
8897fb1f1c1bef662c9911eed99540b3

SHA1
b2047b4bfc6d10a1bbb44b84c36bcc5194309f65

SHA256
1a531b5337cca3c02de288a5765f9841069aeaad371612178b0eeb07ea033bb4

SHA512
e82c6dbd7cffc7599f9bda80a748fe0f3690830b4733e7c6d532fd8acbe2d3fc1e4f45b55ed82f16f5f0633219457c3b041f8a468caa771e52237a9cb74d6329

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1706829.exe

Filesize
208KB

MD5
3f808ff4feca6b86f3cd809c23e0d3e7

SHA1
3d6c33fd9472e4b6722de78b693036c3f85df5ae

SHA256
1291d8b554bcba4e8664a8c5dd891566e1f3dfd6f14af723860934a2b5337377

SHA512
a15d9a073a78b98944453829b9c2246b03b078db869412c3c38fd121c5a3c3f3a054238b241467663941c71607152e9419a5e326ba22580de0bf27d342b40300

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d1706829.exe

Filesize
208KB

MD5
3f808ff4feca6b86f3cd809c23e0d3e7

SHA1
3d6c33fd9472e4b6722de78b693036c3f85df5ae

SHA256
1291d8b554bcba4e8664a8c5dd891566e1f3dfd6f14af723860934a2b5337377

SHA512
a15d9a073a78b98944453829b9c2246b03b078db869412c3c38fd121c5a3c3f3a054238b241467663941c71607152e9419a5e326ba22580de0bf27d342b40300

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6467811.exe

Filesize
377KB

MD5
f7a66c7c96835d3de6a91614eeb2d35e

SHA1
e2765186046de67fb219be96dcc862163571b14c

SHA256
133cdbd399bd994ef9bc935a22e47108bc1eec54ffbebed9c6779a8b513fbd6a

SHA512
2a8142b10b71bcb189f082a68c7ada160e7937db31d620fa06953d9753b8595fc1e2cd82efa3bb78da6f85f643d5947d927e2671c86fd88a639890ad4ba871ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6467811.exe

Filesize
377KB

MD5
f7a66c7c96835d3de6a91614eeb2d35e

SHA1
e2765186046de67fb219be96dcc862163571b14c

SHA256
133cdbd399bd994ef9bc935a22e47108bc1eec54ffbebed9c6779a8b513fbd6a

SHA512
2a8142b10b71bcb189f082a68c7ada160e7937db31d620fa06953d9753b8595fc1e2cd82efa3bb78da6f85f643d5947d927e2671c86fd88a639890ad4ba871ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8817236.exe

Filesize
172KB

MD5
ed75c8ceaa0b8ac642d2be1a67fc1ad6

SHA1
895be609f7adc8b3748db8df114173826dab91f0

SHA256
74de8b3bfaaea42aed37f3a838477ff65f3cabb8f2adda5a8befd71756b3ba78

SHA512
5409c14b39a167a57121077cd116880208ff85306a7556d3906c35a630b6bc2c34c835da90b188be8d2fb64c6d4326808491bee593c2edb6156c1d1bdd21321f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c8817236.exe

Filesize
172KB

MD5
ed75c8ceaa0b8ac642d2be1a67fc1ad6

SHA1
895be609f7adc8b3748db8df114173826dab91f0

SHA256
74de8b3bfaaea42aed37f3a838477ff65f3cabb8f2adda5a8befd71756b3ba78

SHA512
5409c14b39a167a57121077cd116880208ff85306a7556d3906c35a630b6bc2c34c835da90b188be8d2fb64c6d4326808491bee593c2edb6156c1d1bdd21321f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1797333.exe

Filesize
221KB

MD5
45a76a808e6e0efe668bd18d53894189

SHA1
797b8ec677a9cda9f4480f66b020e58eb5b78d2a

SHA256
3a5660d7e67cccb3ec80bdffd5e46191d9471cf548467b522d0dcbccbc68092d

SHA512
540c639eb83b22f3524d85dd12ed9f7f3ded2614aabe1a6d1fe64574dea6ea24a9d8e2a750cb8d223717266b6398e8c177895d1931aa8863480fe8d2b9b46d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1797333.exe

Filesize
221KB

MD5
45a76a808e6e0efe668bd18d53894189

SHA1
797b8ec677a9cda9f4480f66b020e58eb5b78d2a

SHA256
3a5660d7e67cccb3ec80bdffd5e46191d9471cf548467b522d0dcbccbc68092d

SHA512
540c639eb83b22f3524d85dd12ed9f7f3ded2614aabe1a6d1fe64574dea6ea24a9d8e2a750cb8d223717266b6398e8c177895d1931aa8863480fe8d2b9b46d37

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5016254.exe

Filesize
13KB

MD5
960d22aba67b32518c9fcae37a4b626d

SHA1
c54f8774b66eb6d0caa1b24cb92b64f8dbeb7f5b

SHA256
781edb10a0a0e48bbb415df862ba688f7172d417be78ae4eb469b1c91829481f

SHA512
58e4c5fb0c0021f4ae2dc6ae02ff900bfa3e74a4453f03546a1cdbfb6333777beb1839efbbd072bfabeda0a3848ae236b9bc3d4a1db3293580029582d3d94525

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5016254.exe

Filesize
13KB

MD5
960d22aba67b32518c9fcae37a4b626d

SHA1
c54f8774b66eb6d0caa1b24cb92b64f8dbeb7f5b

SHA256
781edb10a0a0e48bbb415df862ba688f7172d417be78ae4eb469b1c91829481f

SHA512
58e4c5fb0c0021f4ae2dc6ae02ff900bfa3e74a4453f03546a1cdbfb6333777beb1839efbbd072bfabeda0a3848ae236b9bc3d4a1db3293580029582d3d94525

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6514669.exe

Filesize
148KB

MD5
e02d3a46c71e6a2891823d9ff9371622

SHA1
e5d8abe2cfab9e9c25b73e5ac67604bec15dee33

SHA256
4d91ae9aa8f3d04c67eaca754c6b7ae10b3b603dbf5d709792d69d893ae1743f

SHA512
27c45a4beea49eb013b730fdac7747c362335551d36667a4a38e1c0069f5a442a8e805acf27ca8baacae5f8cd8286431a2378686615a39604fc5e86acd5ea29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b6514669.exe

Filesize
148KB

MD5
e02d3a46c71e6a2891823d9ff9371622

SHA1
e5d8abe2cfab9e9c25b73e5ac67604bec15dee33

SHA256
4d91ae9aa8f3d04c67eaca754c6b7ae10b3b603dbf5d709792d69d893ae1743f

SHA512
27c45a4beea49eb013b730fdac7747c362335551d36667a4a38e1c0069f5a442a8e805acf27ca8baacae5f8cd8286431a2378686615a39604fc5e86acd5ea29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
3f808ff4feca6b86f3cd809c23e0d3e7

SHA1
3d6c33fd9472e4b6722de78b693036c3f85df5ae

SHA256
1291d8b554bcba4e8664a8c5dd891566e1f3dfd6f14af723860934a2b5337377

SHA512
a15d9a073a78b98944453829b9c2246b03b078db869412c3c38fd121c5a3c3f3a054238b241467663941c71607152e9419a5e326ba22580de0bf27d342b40300

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
3f808ff4feca6b86f3cd809c23e0d3e7

SHA1
3d6c33fd9472e4b6722de78b693036c3f85df5ae

SHA256
1291d8b554bcba4e8664a8c5dd891566e1f3dfd6f14af723860934a2b5337377

SHA512
a15d9a073a78b98944453829b9c2246b03b078db869412c3c38fd121c5a3c3f3a054238b241467663941c71607152e9419a5e326ba22580de0bf27d342b40300

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
3f808ff4feca6b86f3cd809c23e0d3e7

SHA1
3d6c33fd9472e4b6722de78b693036c3f85df5ae

SHA256
1291d8b554bcba4e8664a8c5dd891566e1f3dfd6f14af723860934a2b5337377

SHA512
a15d9a073a78b98944453829b9c2246b03b078db869412c3c38fd121c5a3c3f3a054238b241467663941c71607152e9419a5e326ba22580de0bf27d342b40300

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
3f808ff4feca6b86f3cd809c23e0d3e7

SHA1
3d6c33fd9472e4b6722de78b693036c3f85df5ae

SHA256
1291d8b554bcba4e8664a8c5dd891566e1f3dfd6f14af723860934a2b5337377

SHA512
a15d9a073a78b98944453829b9c2246b03b078db869412c3c38fd121c5a3c3f3a054238b241467663941c71607152e9419a5e326ba22580de0bf27d342b40300

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
3f808ff4feca6b86f3cd809c23e0d3e7

SHA1
3d6c33fd9472e4b6722de78b693036c3f85df5ae

SHA256
1291d8b554bcba4e8664a8c5dd891566e1f3dfd6f14af723860934a2b5337377

SHA512
a15d9a073a78b98944453829b9c2246b03b078db869412c3c38fd121c5a3c3f3a054238b241467663941c71607152e9419a5e326ba22580de0bf27d342b40300

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/348-182-0x000000000BF60000-0x000000000C504000-memory.dmp

Filesize
5.6MB

Download
memory/348-176-0x000000000AE80000-0x000000000AF8A000-memory.dmp

Filesize
1.0MB

Download
memory/348-187-0x000000000CE30000-0x000000000D35C000-memory.dmp

Filesize
5.2MB

Download
memory/348-186-0x000000000C730000-0x000000000C8F2000-memory.dmp

Filesize
1.8MB

Download
memory/348-185-0x000000000C510000-0x000000000C560000-memory.dmp

Filesize
320KB

Download
memory/348-183-0x000000000B2A0000-0x000000000B306000-memory.dmp

Filesize
408KB

Download
memory/348-181-0x000000000B200000-0x000000000B292000-memory.dmp

Filesize
584KB

Download
memory/348-180-0x000000000B0E0000-0x000000000B156000-memory.dmp

Filesize
472KB

Download
memory/348-179-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/348-174-0x0000000000EB0000-0x0000000000EE0000-memory.dmp

Filesize
192KB

Download
memory/348-178-0x000000000ADD0000-0x000000000AE0C000-memory.dmp

Filesize
240KB

Download
memory/348-175-0x000000000B390000-0x000000000B9A8000-memory.dmp

Filesize
6.1MB

Download
memory/348-177-0x000000000AD70000-0x000000000AD82000-memory.dmp

Filesize
72KB

Download
memory/348-188-0x00000000058E0000-0x00000000058F0000-memory.dmp

Filesize
64KB

Download
memory/1116-161-0x0000000000B00000-0x0000000000B0A000-memory.dmp

Filesize
40KB

Download
memory/3184-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3588-212-0x0000000002750000-0x0000000002760000-memory.dmp

Filesize
64KB

Download
memory/3588-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download