redline | 1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3

Analysis

max time kernel
128s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe
Size

772KB
MD5

d26e31a782a313a86079a24cf2b46d63
SHA1

608e08f5e3c25fe9e6c32c54d275dd3d91a8064c
SHA256

1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3
SHA512

2eb36ec4e6ffb84e25b6a5c56e1ef86a99cc22d0b1255bb2f6d7f7713bf9449a75195aa7e9411d09c67f62c8520cfa7b789ef9be43004f8a14d3f70fa62c2028
SSDEEP

12288:aMrzy90wiIg9VjFWhHbS5HYgNBfqrDmsfu9/Vv8RNl28NKN3q:xyCbjFeHbQ1Erpu9dvWDN4a

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a8859633.exeAppLaunch.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a8859633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a8859633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a8859633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a8859633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a8859633.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a8859633.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d8292396.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	d8292396.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v4591869.exev7578153.exev1414493.exea8859633.exeb1373976.exec5245134.exed8292396.exelamod.exee3692213.exelamod.exelamod.exe

pid	process
2504	v4591869.exe
224	v7578153.exe
1508	v1414493.exe
4684	a8859633.exe
4708	b1373976.exe
2128	c5245134.exe
2736	d8292396.exe
4804	lamod.exe
4080	e3692213.exe
2372	lamod.exe
4744	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2784 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a8859633.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a8859633.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2784	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a8859633.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exev4591869.exev7578153.exev1414493.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4591869.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4591869.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7578153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v7578153.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1414493.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1414493.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b1373976.exee3692213.exe

description	pid	process	target process
PID 4708 set thread context of 4872	4708	b1373976.exe	AppLaunch.exe
PID 4080 set thread context of 4148	4080	e3692213.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4688 4708 WerFault.exe b1373976.exe
3064 4080 WerFault.exe e3692213.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1748 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a8859633.exeAppLaunch.exec5245134.exeAppLaunch.exe

pid process

4684 a8859633.exe
4684 a8859633.exe
4872 AppLaunch.exe
4872 AppLaunch.exe
2128 c5245134.exe
2128 c5245134.exe
4148 AppLaunch.exe
4148 AppLaunch.exe

pid	pid_target	process	target process
4688	4708	WerFault.exe	b1373976.exe
3064	4080	WerFault.exe	e3692213.exe

pid	process
1748	schtasks.exe

pid	process
4684	a8859633.exe
4684	a8859633.exe
4872	AppLaunch.exe
4872	AppLaunch.exe
2128	c5245134.exe
2128	c5245134.exe
4148	AppLaunch.exe
4148	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a8859633.exeAppLaunch.exec5245134.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4684	a8859633.exe
Token: SeDebugPrivilege	4872	AppLaunch.exe
Token: SeDebugPrivilege	2128	c5245134.exe
Token: SeDebugPrivilege	4148	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d8292396.exe

pid process

2736 d8292396.exe

pid	process
2736	d8292396.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exev4591869.exev7578153.exev1414493.exeb1373976.exed8292396.exelamod.execmd.exee3692213.exe

description	pid	process	target process
PID 3884 wrote to memory of 2504	3884	1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe	v4591869.exe
PID 3884 wrote to memory of 2504	3884	1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe	v4591869.exe
PID 3884 wrote to memory of 2504	3884	1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe	v4591869.exe
PID 2504 wrote to memory of 224	2504	v4591869.exe	v7578153.exe
PID 2504 wrote to memory of 224	2504	v4591869.exe	v7578153.exe
PID 2504 wrote to memory of 224	2504	v4591869.exe	v7578153.exe
PID 224 wrote to memory of 1508	224	v7578153.exe	v1414493.exe
PID 224 wrote to memory of 1508	224	v7578153.exe	v1414493.exe
PID 224 wrote to memory of 1508	224	v7578153.exe	v1414493.exe
PID 1508 wrote to memory of 4684	1508	v1414493.exe	a8859633.exe
PID 1508 wrote to memory of 4684	1508	v1414493.exe	a8859633.exe
PID 1508 wrote to memory of 4708	1508	v1414493.exe	b1373976.exe
PID 1508 wrote to memory of 4708	1508	v1414493.exe	b1373976.exe
PID 1508 wrote to memory of 4708	1508	v1414493.exe	b1373976.exe
PID 4708 wrote to memory of 4872	4708	b1373976.exe	AppLaunch.exe
PID 4708 wrote to memory of 4872	4708	b1373976.exe	AppLaunch.exe
PID 4708 wrote to memory of 4872	4708	b1373976.exe	AppLaunch.exe
PID 4708 wrote to memory of 4872	4708	b1373976.exe	AppLaunch.exe
PID 4708 wrote to memory of 4872	4708	b1373976.exe	AppLaunch.exe
PID 224 wrote to memory of 2128	224	v7578153.exe	c5245134.exe
PID 224 wrote to memory of 2128	224	v7578153.exe	c5245134.exe
PID 224 wrote to memory of 2128	224	v7578153.exe	c5245134.exe
PID 2504 wrote to memory of 2736	2504	v4591869.exe	d8292396.exe
PID 2504 wrote to memory of 2736	2504	v4591869.exe	d8292396.exe
PID 2504 wrote to memory of 2736	2504	v4591869.exe	d8292396.exe
PID 2736 wrote to memory of 4804	2736	d8292396.exe	lamod.exe
PID 2736 wrote to memory of 4804	2736	d8292396.exe	lamod.exe
PID 2736 wrote to memory of 4804	2736	d8292396.exe	lamod.exe
PID 3884 wrote to memory of 4080	3884	1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe	e3692213.exe
PID 3884 wrote to memory of 4080	3884	1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe	e3692213.exe
PID 3884 wrote to memory of 4080	3884	1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe	e3692213.exe
PID 4804 wrote to memory of 1748	4804	lamod.exe	schtasks.exe
PID 4804 wrote to memory of 1748	4804	lamod.exe	schtasks.exe
PID 4804 wrote to memory of 1748	4804	lamod.exe	schtasks.exe
PID 4804 wrote to memory of 4636	4804	lamod.exe	cmd.exe
PID 4804 wrote to memory of 4636	4804	lamod.exe	cmd.exe
PID 4804 wrote to memory of 4636	4804	lamod.exe	cmd.exe
PID 4636 wrote to memory of 4064	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4064	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 4064	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 984	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 984	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 984	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4384	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4384	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 4384	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 2944	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 2944	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 2944	4636	cmd.exe	cmd.exe
PID 4636 wrote to memory of 1580	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 1580	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 1580	4636	cmd.exe	cacls.exe
PID 4080 wrote to memory of 4148	4080	e3692213.exe	AppLaunch.exe
PID 4080 wrote to memory of 4148	4080	e3692213.exe	AppLaunch.exe
PID 4080 wrote to memory of 4148	4080	e3692213.exe	AppLaunch.exe
PID 4080 wrote to memory of 4148	4080	e3692213.exe	AppLaunch.exe
PID 4080 wrote to memory of 4148	4080	e3692213.exe	AppLaunch.exe
PID 4636 wrote to memory of 2848	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 2848	4636	cmd.exe	cacls.exe
PID 4636 wrote to memory of 2848	4636	cmd.exe	cacls.exe
PID 4804 wrote to memory of 2784	4804	lamod.exe	rundll32.exe
PID 4804 wrote to memory of 2784	4804	lamod.exe	rundll32.exe
PID 4804 wrote to memory of 2784	4804	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe
"C:\Users\Admin\AppData\Local\Temp\1eead999c9fea8513bdd176a43f700354c7b97916de9604b5de30a6a148692c3.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3884

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4591869.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4591869.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7578153.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7578153.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:224

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1414493.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1414493.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1508

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8859633.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8859633.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1373976.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1373976.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 156
6⤵
- Program crash
PID:4688

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5245134.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5245134.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8292396.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8292396.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2736

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:1748

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4064

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:984

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:4384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2944

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:1580

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:2848

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:2784

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e3692213.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e3692213.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 212
3⤵
- Program crash
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4708 -ip 4708
1⤵
PID:2968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4080 -ip 4080
1⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4744

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e3692213.exe
Filesize
309KB

MD5
15b02acf5ddf3bc13bb92d43090f3297

SHA1
2a757e5468bb9d69ded3ca4d00cc9b96ba395b80

SHA256
0ad8d7690c45aa74000f6a7a41ff991695258033247ecfc604b03f0c8dd17587

SHA512
47423d74c27284ee97fe0cb01c6c485f9210b43feb5e68d2537dd6520bbe068680911dd17498e0e298743ade08ffee7f2ca78d00e63a5e125518470e5b9d5e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e3692213.exe
Filesize
309KB

MD5
15b02acf5ddf3bc13bb92d43090f3297

SHA1
2a757e5468bb9d69ded3ca4d00cc9b96ba395b80

SHA256
0ad8d7690c45aa74000f6a7a41ff991695258033247ecfc604b03f0c8dd17587

SHA512
47423d74c27284ee97fe0cb01c6c485f9210b43feb5e68d2537dd6520bbe068680911dd17498e0e298743ade08ffee7f2ca78d00e63a5e125518470e5b9d5e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4591869.exe
Filesize
549KB

MD5
1dec2df7e87b0d43c8f8d1e7d443c0f2

SHA1
238e70ca7b7625b0774540d21838df5e36dcefb2

SHA256
6278fc9b08649014202112779ee6476eaa9b84f56cb5629798129333d8f8ee0f

SHA512
89d1f26b6d98368e56ebdc8653f98fc2f5624031cdf70207f64b1cded501c481bf6bed26115395db6bd8014f5579ac63370f79ca64fd93f72d1a6eb14ff07649

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4591869.exe
Filesize
549KB

MD5
1dec2df7e87b0d43c8f8d1e7d443c0f2

SHA1
238e70ca7b7625b0774540d21838df5e36dcefb2

SHA256
6278fc9b08649014202112779ee6476eaa9b84f56cb5629798129333d8f8ee0f

SHA512
89d1f26b6d98368e56ebdc8653f98fc2f5624031cdf70207f64b1cded501c481bf6bed26115395db6bd8014f5579ac63370f79ca64fd93f72d1a6eb14ff07649

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8292396.exe
Filesize
208KB

MD5
9cf997f0b0f40bd869c74b1b227b4a6c

SHA1
c7b6580b57f38b51946dc0bf585fea2993cb474c

SHA256
153bf735e25f623e48d1750d86fc60acdbe19db5a28a5af4c5ef99c7598a0653

SHA512
270780ac5da9d868bdc70582fab7c9bda739db2a81a0f7bb59a764262b127e5a08918ba9ee89fbc7744ec4b494374927a891fd20290b08cc587504dffe410b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d8292396.exe
Filesize
208KB

MD5
9cf997f0b0f40bd869c74b1b227b4a6c

SHA1
c7b6580b57f38b51946dc0bf585fea2993cb474c

SHA256
153bf735e25f623e48d1750d86fc60acdbe19db5a28a5af4c5ef99c7598a0653

SHA512
270780ac5da9d868bdc70582fab7c9bda739db2a81a0f7bb59a764262b127e5a08918ba9ee89fbc7744ec4b494374927a891fd20290b08cc587504dffe410b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7578153.exe
Filesize
377KB

MD5
2a9ad9b14d9fd574277e427b1a081b6d

SHA1
c4fd95b2713ed1ec40234ccecad360bfbeeb4c19

SHA256
49a2f37c3d559f7bc76ef8ee038cb22071a3efc36954abbde578e7481715ff13

SHA512
0963950d4a3e13bd89961031dae48b6c0adb14ea1835c580c5c1bc46a75b1f0bac8cf84887a1242106314b5dfc0cada5a225a27c1c35cf93a0e64c1e6617c616

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v7578153.exe
Filesize
377KB

MD5
2a9ad9b14d9fd574277e427b1a081b6d

SHA1
c4fd95b2713ed1ec40234ccecad360bfbeeb4c19

SHA256
49a2f37c3d559f7bc76ef8ee038cb22071a3efc36954abbde578e7481715ff13

SHA512
0963950d4a3e13bd89961031dae48b6c0adb14ea1835c580c5c1bc46a75b1f0bac8cf84887a1242106314b5dfc0cada5a225a27c1c35cf93a0e64c1e6617c616

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5245134.exe
Filesize
172KB

MD5
9386e43a72f17e2811f6519cf246bc87

SHA1
36a3dfe23589832c1b8e75dbb4ad8ffac7f3c260

SHA256
70806e53ea7e211d2e47ec954a3257ddba3bfd7ae955b29320b96d0a5fa60f17

SHA512
3ab7100e97558382d5731c8e300074d66f11ba52c46514a3a12569f5e4f6d141616f05a97212cf81eccccb4cebdcba8e645b3a61c651f2613cb99de06f2c9175

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c5245134.exe
Filesize
172KB

MD5
9386e43a72f17e2811f6519cf246bc87

SHA1
36a3dfe23589832c1b8e75dbb4ad8ffac7f3c260

SHA256
70806e53ea7e211d2e47ec954a3257ddba3bfd7ae955b29320b96d0a5fa60f17

SHA512
3ab7100e97558382d5731c8e300074d66f11ba52c46514a3a12569f5e4f6d141616f05a97212cf81eccccb4cebdcba8e645b3a61c651f2613cb99de06f2c9175

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1414493.exe
Filesize
221KB

MD5
39c5afc959d28a0597e70c906cd18679

SHA1
5e928a2ffdf5d9bf12bebe9df57f90f4983825f9

SHA256
fdc76ca522695ad8ad740e7b95e0b68a8f6e0eac6179c803146489881a9c0922

SHA512
0d9c78f43bdcbb1e8e8e22d6959501698d5e7c00986448c4060dc09dc17decd7676e427af1e86d050115726e8238d116f495f3a977527ab600bfe34b9329ff17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1414493.exe
Filesize
221KB

MD5
39c5afc959d28a0597e70c906cd18679

SHA1
5e928a2ffdf5d9bf12bebe9df57f90f4983825f9

SHA256
fdc76ca522695ad8ad740e7b95e0b68a8f6e0eac6179c803146489881a9c0922

SHA512
0d9c78f43bdcbb1e8e8e22d6959501698d5e7c00986448c4060dc09dc17decd7676e427af1e86d050115726e8238d116f495f3a977527ab600bfe34b9329ff17

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8859633.exe
Filesize
14KB

MD5
40d08155a8c0f96143fbfe9b7e54d841

SHA1
0c36485a819fca7604135b633761fa626cad1bec

SHA256
edfb95a0b4534edd68a365482682ec495860efe5ef7dd7d23d33101175aea40c

SHA512
f0a0f0a0dce287099b46b8fa6921a3ca7f6772d8ba99b3f1ee6dc24e720d0f0c0c090269e4c700851d6baff5c2589188dd51ab984410c72247b1a6fecad7ac88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a8859633.exe
Filesize
14KB

MD5
40d08155a8c0f96143fbfe9b7e54d841

SHA1
0c36485a819fca7604135b633761fa626cad1bec

SHA256
edfb95a0b4534edd68a365482682ec495860efe5ef7dd7d23d33101175aea40c

SHA512
f0a0f0a0dce287099b46b8fa6921a3ca7f6772d8ba99b3f1ee6dc24e720d0f0c0c090269e4c700851d6baff5c2589188dd51ab984410c72247b1a6fecad7ac88

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1373976.exe
Filesize
148KB

MD5
2b5764ee5a0fbb9e8a26759845d2fd52

SHA1
7b07027438f1c80437e0a64a16bf4dc2b772bf2e

SHA256
0f7f2d3af0a24d79f3667754c0fd035eae4f2f4e10ac1aac97f47dc68c8ee59f

SHA512
33b70a26ad5ec93eed1f4579e170e09d9f9899bc70180646e69d5d25a504f7c80549d35b0e3c6d285b9b95bea83b0dfad374bd9e2f0897d63de7db32543368d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1373976.exe
Filesize
148KB

MD5
2b5764ee5a0fbb9e8a26759845d2fd52

SHA1
7b07027438f1c80437e0a64a16bf4dc2b772bf2e

SHA256
0f7f2d3af0a24d79f3667754c0fd035eae4f2f4e10ac1aac97f47dc68c8ee59f

SHA512
33b70a26ad5ec93eed1f4579e170e09d9f9899bc70180646e69d5d25a504f7c80549d35b0e3c6d285b9b95bea83b0dfad374bd9e2f0897d63de7db32543368d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
9cf997f0b0f40bd869c74b1b227b4a6c

SHA1
c7b6580b57f38b51946dc0bf585fea2993cb474c

SHA256
153bf735e25f623e48d1750d86fc60acdbe19db5a28a5af4c5ef99c7598a0653

SHA512
270780ac5da9d868bdc70582fab7c9bda739db2a81a0f7bb59a764262b127e5a08918ba9ee89fbc7744ec4b494374927a891fd20290b08cc587504dffe410b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
9cf997f0b0f40bd869c74b1b227b4a6c

SHA1
c7b6580b57f38b51946dc0bf585fea2993cb474c

SHA256
153bf735e25f623e48d1750d86fc60acdbe19db5a28a5af4c5ef99c7598a0653

SHA512
270780ac5da9d868bdc70582fab7c9bda739db2a81a0f7bb59a764262b127e5a08918ba9ee89fbc7744ec4b494374927a891fd20290b08cc587504dffe410b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
9cf997f0b0f40bd869c74b1b227b4a6c

SHA1
c7b6580b57f38b51946dc0bf585fea2993cb474c

SHA256
153bf735e25f623e48d1750d86fc60acdbe19db5a28a5af4c5ef99c7598a0653

SHA512
270780ac5da9d868bdc70582fab7c9bda739db2a81a0f7bb59a764262b127e5a08918ba9ee89fbc7744ec4b494374927a891fd20290b08cc587504dffe410b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
9cf997f0b0f40bd869c74b1b227b4a6c

SHA1
c7b6580b57f38b51946dc0bf585fea2993cb474c

SHA256
153bf735e25f623e48d1750d86fc60acdbe19db5a28a5af4c5ef99c7598a0653

SHA512
270780ac5da9d868bdc70582fab7c9bda739db2a81a0f7bb59a764262b127e5a08918ba9ee89fbc7744ec4b494374927a891fd20290b08cc587504dffe410b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
9cf997f0b0f40bd869c74b1b227b4a6c

SHA1
c7b6580b57f38b51946dc0bf585fea2993cb474c

SHA256
153bf735e25f623e48d1750d86fc60acdbe19db5a28a5af4c5ef99c7598a0653

SHA512
270780ac5da9d868bdc70582fab7c9bda739db2a81a0f7bb59a764262b127e5a08918ba9ee89fbc7744ec4b494374927a891fd20290b08cc587504dffe410b2f

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2128-182-0x0000000006E50000-0x00000000073F4000-memory.dmp

Filesize
5.6MB

Download
memory/2128-176-0x0000000005880000-0x000000000598A000-memory.dmp

Filesize
1.0MB

Download
memory/2128-187-0x0000000007400000-0x00000000075C2000-memory.dmp

Filesize
1.8MB

Download
memory/2128-186-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/2128-185-0x0000000006690000-0x00000000066E0000-memory.dmp

Filesize
320KB

Download
memory/2128-183-0x0000000005CC0000-0x0000000005D26000-memory.dmp

Filesize
408KB

Download
memory/2128-181-0x0000000005C20000-0x0000000005CB2000-memory.dmp

Filesize
584KB

Download
memory/2128-180-0x0000000005B00000-0x0000000005B76000-memory.dmp

Filesize
472KB

Download
memory/2128-179-0x0000000005760000-0x0000000005770000-memory.dmp

Filesize
64KB

Download
memory/2128-174-0x0000000000E30000-0x0000000000E60000-memory.dmp

Filesize
192KB

Download
memory/2128-178-0x00000000057F0000-0x000000000582C000-memory.dmp

Filesize
240KB

Download
memory/2128-175-0x0000000005D90000-0x00000000063A8000-memory.dmp

Filesize
6.1MB

Download
memory/2128-177-0x0000000005790000-0x00000000057A2000-memory.dmp

Filesize
72KB

Download
memory/2128-188-0x0000000009020000-0x000000000954C000-memory.dmp

Filesize
5.2MB

Download
memory/4148-212-0x0000000005360000-0x0000000005370000-memory.dmp

Filesize
64KB

Download
memory/4148-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4684-161-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/4872-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download