redline | 52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417

Analysis

max time kernel
121s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe
Size

772KB
MD5

4da26cb7066d5307ce830c386ce50757
SHA1

1b112bf6ff0eaed1bf04493d997e96693e08653e
SHA256

52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417
SHA512

c2566324f223b0fb29633aa9ca99d16c0e9d6f0e379d511a720b7972e38a89307143975dc3d7f2718b409b5063190e74874bcdd62c98610619709c1b1dbdffb4
SSDEEP

12288:yMrey904/eAv5Gk/a4nV9SclY0+Cz5V+bR//yZJC94CgqIV791reb7cZir/KXcW:Uy1vMSPScdXdVeR/sJC9x491kSXXn

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

a5049657.exeAppLaunch.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a5049657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a5049657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a5049657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a5049657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a5049657.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a5049657.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d0121059.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	d0121059.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v7860725.exev6249416.exev0362747.exea5049657.exeb4039017.exec7283897.exed0121059.exelamod.exee7724565.exelamod.exelamod.exe

pid	process
428	v7860725.exe
2032	v6249416.exe
2976	v0362747.exe
1140	a5049657.exe
4972	b4039017.exe
4752	c7283897.exe
1524	d0121059.exe
4504	lamod.exe
3320	e7724565.exe
3832	lamod.exe
4464	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4544 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a5049657.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a5049657.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4544	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a5049657.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exev7860725.exev6249416.exev0362747.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v7860725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v7860725.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6249416.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6249416.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0362747.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0362747.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b4039017.exee7724565.exe

description	pid	process	target process
PID 4972 set thread context of 3976	4972	b4039017.exe	AppLaunch.exe
PID 3320 set thread context of 3284	3320	e7724565.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3852 4972 WerFault.exe b4039017.exe
2292 3320 WerFault.exe e7724565.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3292 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a5049657.exeAppLaunch.exec7283897.exeAppLaunch.exe

pid process

1140 a5049657.exe
1140 a5049657.exe
3976 AppLaunch.exe
3976 AppLaunch.exe
4752 c7283897.exe
4752 c7283897.exe
3284 AppLaunch.exe
3284 AppLaunch.exe

pid	pid_target	process	target process
3852	4972	WerFault.exe	b4039017.exe
2292	3320	WerFault.exe	e7724565.exe

pid	process
3292	schtasks.exe

pid	process
1140	a5049657.exe
1140	a5049657.exe
3976	AppLaunch.exe
3976	AppLaunch.exe
4752	c7283897.exe
4752	c7283897.exe
3284	AppLaunch.exe
3284	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a5049657.exeAppLaunch.exec7283897.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1140	a5049657.exe
Token: SeDebugPrivilege	3976	AppLaunch.exe
Token: SeDebugPrivilege	4752	c7283897.exe
Token: SeDebugPrivilege	3284	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d0121059.exe

pid process

1524 d0121059.exe

pid	process
1524	d0121059.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exev7860725.exev6249416.exev0362747.exeb4039017.exed0121059.exelamod.execmd.exee7724565.exe

description	pid	process	target process
PID 3684 wrote to memory of 428	3684	52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe	v7860725.exe
PID 3684 wrote to memory of 428	3684	52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe	v7860725.exe
PID 3684 wrote to memory of 428	3684	52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe	v7860725.exe
PID 428 wrote to memory of 2032	428	v7860725.exe	v6249416.exe
PID 428 wrote to memory of 2032	428	v7860725.exe	v6249416.exe
PID 428 wrote to memory of 2032	428	v7860725.exe	v6249416.exe
PID 2032 wrote to memory of 2976	2032	v6249416.exe	v0362747.exe
PID 2032 wrote to memory of 2976	2032	v6249416.exe	v0362747.exe
PID 2032 wrote to memory of 2976	2032	v6249416.exe	v0362747.exe
PID 2976 wrote to memory of 1140	2976	v0362747.exe	a5049657.exe
PID 2976 wrote to memory of 1140	2976	v0362747.exe	a5049657.exe
PID 2976 wrote to memory of 4972	2976	v0362747.exe	b4039017.exe
PID 2976 wrote to memory of 4972	2976	v0362747.exe	b4039017.exe
PID 2976 wrote to memory of 4972	2976	v0362747.exe	b4039017.exe
PID 4972 wrote to memory of 3976	4972	b4039017.exe	AppLaunch.exe
PID 4972 wrote to memory of 3976	4972	b4039017.exe	AppLaunch.exe
PID 4972 wrote to memory of 3976	4972	b4039017.exe	AppLaunch.exe
PID 4972 wrote to memory of 3976	4972	b4039017.exe	AppLaunch.exe
PID 4972 wrote to memory of 3976	4972	b4039017.exe	AppLaunch.exe
PID 2032 wrote to memory of 4752	2032	v6249416.exe	c7283897.exe
PID 2032 wrote to memory of 4752	2032	v6249416.exe	c7283897.exe
PID 2032 wrote to memory of 4752	2032	v6249416.exe	c7283897.exe
PID 428 wrote to memory of 1524	428	v7860725.exe	d0121059.exe
PID 428 wrote to memory of 1524	428	v7860725.exe	d0121059.exe
PID 428 wrote to memory of 1524	428	v7860725.exe	d0121059.exe
PID 1524 wrote to memory of 4504	1524	d0121059.exe	lamod.exe
PID 1524 wrote to memory of 4504	1524	d0121059.exe	lamod.exe
PID 1524 wrote to memory of 4504	1524	d0121059.exe	lamod.exe
PID 3684 wrote to memory of 3320	3684	52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe	e7724565.exe
PID 3684 wrote to memory of 3320	3684	52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe	e7724565.exe
PID 3684 wrote to memory of 3320	3684	52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe	e7724565.exe
PID 4504 wrote to memory of 3292	4504	lamod.exe	schtasks.exe
PID 4504 wrote to memory of 3292	4504	lamod.exe	schtasks.exe
PID 4504 wrote to memory of 3292	4504	lamod.exe	schtasks.exe
PID 4504 wrote to memory of 1112	4504	lamod.exe	cmd.exe
PID 4504 wrote to memory of 1112	4504	lamod.exe	cmd.exe
PID 4504 wrote to memory of 1112	4504	lamod.exe	cmd.exe
PID 1112 wrote to memory of 3448	1112	cmd.exe	cmd.exe
PID 1112 wrote to memory of 3448	1112	cmd.exe	cmd.exe
PID 1112 wrote to memory of 3448	1112	cmd.exe	cmd.exe
PID 1112 wrote to memory of 2848	1112	cmd.exe	cacls.exe
PID 1112 wrote to memory of 2848	1112	cmd.exe	cacls.exe
PID 1112 wrote to memory of 2848	1112	cmd.exe	cacls.exe
PID 1112 wrote to memory of 2772	1112	cmd.exe	cacls.exe
PID 1112 wrote to memory of 2772	1112	cmd.exe	cacls.exe
PID 1112 wrote to memory of 2772	1112	cmd.exe	cacls.exe
PID 3320 wrote to memory of 3284	3320	e7724565.exe	AppLaunch.exe
PID 3320 wrote to memory of 3284	3320	e7724565.exe	AppLaunch.exe
PID 3320 wrote to memory of 3284	3320	e7724565.exe	AppLaunch.exe
PID 3320 wrote to memory of 3284	3320	e7724565.exe	AppLaunch.exe
PID 1112 wrote to memory of 1488	1112	cmd.exe	cmd.exe
PID 1112 wrote to memory of 1488	1112	cmd.exe	cmd.exe
PID 1112 wrote to memory of 1488	1112	cmd.exe	cmd.exe
PID 1112 wrote to memory of 1772	1112	cmd.exe	cacls.exe
PID 1112 wrote to memory of 1772	1112	cmd.exe	cacls.exe
PID 1112 wrote to memory of 1772	1112	cmd.exe	cacls.exe
PID 3320 wrote to memory of 3284	3320	e7724565.exe	AppLaunch.exe
PID 1112 wrote to memory of 660	1112	cmd.exe	cacls.exe
PID 1112 wrote to memory of 660	1112	cmd.exe	cacls.exe
PID 1112 wrote to memory of 660	1112	cmd.exe	cacls.exe
PID 4504 wrote to memory of 4544	4504	lamod.exe	rundll32.exe
PID 4504 wrote to memory of 4544	4504	lamod.exe	rundll32.exe
PID 4504 wrote to memory of 4544	4504	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe
"C:\Users\Admin\AppData\Local\Temp\52dbede7ddb0af5dfbd283be527dd3b355bf23dfcbb7e2d7efb1c2c3e75b3417.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3684

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7860725.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7860725.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:428

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6249416.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6249416.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0362747.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0362747.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2976

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5049657.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5049657.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4039017.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4039017.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 156
6⤵
- Program crash
PID:3852

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7283897.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7283897.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0121059.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0121059.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1524

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:3292

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3448

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:2848

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:2772

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1488

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:1772

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:660

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:4544

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7724565.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7724565.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 148
3⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4972 -ip 4972
1⤵
PID:2140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3320 -ip 3320
1⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:3832

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7724565.exe

Filesize
309KB

MD5
ee6567c567b4cda624a1559e8f31c493

SHA1
de771e960c97c698e0b629955ff751c37ed0a319

SHA256
d483e40ed0516a3b147a66088760645dc9513a89694ddf20e9a3ccb112f602d6

SHA512
dfbcd74d590dc08103244d922c5db5c6d1ce159e2c49a0ee95c1580f59c3c130e6e2eacb6101fdb62cd7a1e88f32709bb9febde88b1ea06bc6c2d64f9e7ef038

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e7724565.exe

Filesize
309KB

MD5
ee6567c567b4cda624a1559e8f31c493

SHA1
de771e960c97c698e0b629955ff751c37ed0a319

SHA256
d483e40ed0516a3b147a66088760645dc9513a89694ddf20e9a3ccb112f602d6

SHA512
dfbcd74d590dc08103244d922c5db5c6d1ce159e2c49a0ee95c1580f59c3c130e6e2eacb6101fdb62cd7a1e88f32709bb9febde88b1ea06bc6c2d64f9e7ef038

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7860725.exe

Filesize
548KB

MD5
085830d6c7ec38fc05f84ad4045c8712

SHA1
43f9097e8ebe50ba67f6c4aec5561fdb51388262

SHA256
1c4e370e10c3798f3780d6558ce0d7773ee94283346c113b04aeb64395ee51ac

SHA512
539d3b018abf264e7e81610aa5aa430e4b29180189722f2e06ba92762fcc0adda6ba718acfb0d33e8e6832c1d8d2224386eeb8adbd84ca4bdfd90f715301ad99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v7860725.exe

Filesize
548KB

MD5
085830d6c7ec38fc05f84ad4045c8712

SHA1
43f9097e8ebe50ba67f6c4aec5561fdb51388262

SHA256
1c4e370e10c3798f3780d6558ce0d7773ee94283346c113b04aeb64395ee51ac

SHA512
539d3b018abf264e7e81610aa5aa430e4b29180189722f2e06ba92762fcc0adda6ba718acfb0d33e8e6832c1d8d2224386eeb8adbd84ca4bdfd90f715301ad99

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0121059.exe

Filesize
208KB

MD5
e5cd46a5c1d925574ff9c57f50af5f60

SHA1
04aff3bbeefd40f8e01856682e4bbcdb31660f73

SHA256
840d62cd1430d6fbbcfdd1a10e8c3249b6cd6cc71c1f89924e9a71502508812f

SHA512
b17df0c34df0b236848d315c9d79a60b2a5aeb529b1f6d48ebabac9ef52142f2cf99a18ac6820d121989571a0d00bff070752d0c5832879a554d3b0684d8f700

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0121059.exe

Filesize
208KB

MD5
e5cd46a5c1d925574ff9c57f50af5f60

SHA1
04aff3bbeefd40f8e01856682e4bbcdb31660f73

SHA256
840d62cd1430d6fbbcfdd1a10e8c3249b6cd6cc71c1f89924e9a71502508812f

SHA512
b17df0c34df0b236848d315c9d79a60b2a5aeb529b1f6d48ebabac9ef52142f2cf99a18ac6820d121989571a0d00bff070752d0c5832879a554d3b0684d8f700

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6249416.exe

Filesize
377KB

MD5
7769941268fa8278d30058cf09b6bf3d

SHA1
23701b77a186685269d9102f21c9229ec3bf4e2b

SHA256
85149f167280b59dce4c389cbe410b0e6f018eff3d0cf852286c30fd727379cc

SHA512
bb1cc0dfffd5794877e98af01a90647d206ae040f5186283bb52e08ced2e3a482d3353e174492a07f2f7ba1c654c638c96e2720949d4db01b646db131e6e9962

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6249416.exe

Filesize
377KB

MD5
7769941268fa8278d30058cf09b6bf3d

SHA1
23701b77a186685269d9102f21c9229ec3bf4e2b

SHA256
85149f167280b59dce4c389cbe410b0e6f018eff3d0cf852286c30fd727379cc

SHA512
bb1cc0dfffd5794877e98af01a90647d206ae040f5186283bb52e08ced2e3a482d3353e174492a07f2f7ba1c654c638c96e2720949d4db01b646db131e6e9962

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7283897.exe

Filesize
172KB

MD5
ece50a496ac6b94949543f9a268064ac

SHA1
09b3d970ea23d7a51fe2d3341f90f3cf7712cd41

SHA256
97915ad51cbbe736d9631aee9296a7f8c7995ed47a1252717624de4553f6ef4f

SHA512
e99f03173bd6ba655ef895967507f9c80191a951a1ba35789af618413137e4ac70ac5ca7257136f21aa997f05c842f411384a5e2d661a4db5c6a05041f6d99ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c7283897.exe

Filesize
172KB

MD5
ece50a496ac6b94949543f9a268064ac

SHA1
09b3d970ea23d7a51fe2d3341f90f3cf7712cd41

SHA256
97915ad51cbbe736d9631aee9296a7f8c7995ed47a1252717624de4553f6ef4f

SHA512
e99f03173bd6ba655ef895967507f9c80191a951a1ba35789af618413137e4ac70ac5ca7257136f21aa997f05c842f411384a5e2d661a4db5c6a05041f6d99ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0362747.exe

Filesize
221KB

MD5
8a43fbe92dd22de7ed90881a531e1d0a

SHA1
658e7a35a752bb9fcea453aeb992ffb1887f36bd

SHA256
d72d7db13626585dba4b343b9f635c3f3c6606266a02f5b70e4414ae6ddfd9e6

SHA512
3642e9aeea34feb64dc7c30a81da97c5a673bf4954d7912a50ad56c81cd5fd94312a03db396b6fbf55a5a6c16627dc9788e13a8375b62c3d35e2a96725c47cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0362747.exe

Filesize
221KB

MD5
8a43fbe92dd22de7ed90881a531e1d0a

SHA1
658e7a35a752bb9fcea453aeb992ffb1887f36bd

SHA256
d72d7db13626585dba4b343b9f635c3f3c6606266a02f5b70e4414ae6ddfd9e6

SHA512
3642e9aeea34feb64dc7c30a81da97c5a673bf4954d7912a50ad56c81cd5fd94312a03db396b6fbf55a5a6c16627dc9788e13a8375b62c3d35e2a96725c47cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5049657.exe

Filesize
14KB

MD5
161c77d47039b7ac74d7a75f7ef4b6e9

SHA1
49afd5d4ea7c52d273ad6207bc933238e333432d

SHA256
f2131a82d71b63302dd3e072386653383d088e34d98abaa5d09961ef83bad9cf

SHA512
4182e6a373fede558719014253218b6b5526f01f595bf24af2fe6d29240ef77f80b9a0290101cbc71fd7ba2917931d42dcb663f487aa34ff63046264df75abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a5049657.exe

Filesize
14KB

MD5
161c77d47039b7ac74d7a75f7ef4b6e9

SHA1
49afd5d4ea7c52d273ad6207bc933238e333432d

SHA256
f2131a82d71b63302dd3e072386653383d088e34d98abaa5d09961ef83bad9cf

SHA512
4182e6a373fede558719014253218b6b5526f01f595bf24af2fe6d29240ef77f80b9a0290101cbc71fd7ba2917931d42dcb663f487aa34ff63046264df75abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4039017.exe

Filesize
148KB

MD5
0ee3945a815ffad28f938da671f50028

SHA1
71e2bbeddea083171ad9d5e7aabd8954af49cdd0

SHA256
e75ab889ef467d1323afa5639c62151f39182b492d9443ceb0d8ec3c5ee9fceb

SHA512
25672ad47c5cd436597f455142a4f39fd056e93e79c0726a626ca9819f84b9437b26985ca5fed8dc00d5d67e780bf0adcc5cbaba289e0d2141ec855f895e3828

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b4039017.exe

Filesize
148KB

MD5
0ee3945a815ffad28f938da671f50028

SHA1
71e2bbeddea083171ad9d5e7aabd8954af49cdd0

SHA256
e75ab889ef467d1323afa5639c62151f39182b492d9443ceb0d8ec3c5ee9fceb

SHA512
25672ad47c5cd436597f455142a4f39fd056e93e79c0726a626ca9819f84b9437b26985ca5fed8dc00d5d67e780bf0adcc5cbaba289e0d2141ec855f895e3828

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
e5cd46a5c1d925574ff9c57f50af5f60

SHA1
04aff3bbeefd40f8e01856682e4bbcdb31660f73

SHA256
840d62cd1430d6fbbcfdd1a10e8c3249b6cd6cc71c1f89924e9a71502508812f

SHA512
b17df0c34df0b236848d315c9d79a60b2a5aeb529b1f6d48ebabac9ef52142f2cf99a18ac6820d121989571a0d00bff070752d0c5832879a554d3b0684d8f700

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
e5cd46a5c1d925574ff9c57f50af5f60

SHA1
04aff3bbeefd40f8e01856682e4bbcdb31660f73

SHA256
840d62cd1430d6fbbcfdd1a10e8c3249b6cd6cc71c1f89924e9a71502508812f

SHA512
b17df0c34df0b236848d315c9d79a60b2a5aeb529b1f6d48ebabac9ef52142f2cf99a18ac6820d121989571a0d00bff070752d0c5832879a554d3b0684d8f700

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
e5cd46a5c1d925574ff9c57f50af5f60

SHA1
04aff3bbeefd40f8e01856682e4bbcdb31660f73

SHA256
840d62cd1430d6fbbcfdd1a10e8c3249b6cd6cc71c1f89924e9a71502508812f

SHA512
b17df0c34df0b236848d315c9d79a60b2a5aeb529b1f6d48ebabac9ef52142f2cf99a18ac6820d121989571a0d00bff070752d0c5832879a554d3b0684d8f700

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
e5cd46a5c1d925574ff9c57f50af5f60

SHA1
04aff3bbeefd40f8e01856682e4bbcdb31660f73

SHA256
840d62cd1430d6fbbcfdd1a10e8c3249b6cd6cc71c1f89924e9a71502508812f

SHA512
b17df0c34df0b236848d315c9d79a60b2a5aeb529b1f6d48ebabac9ef52142f2cf99a18ac6820d121989571a0d00bff070752d0c5832879a554d3b0684d8f700

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe

Filesize
208KB

MD5
e5cd46a5c1d925574ff9c57f50af5f60

SHA1
04aff3bbeefd40f8e01856682e4bbcdb31660f73

SHA256
840d62cd1430d6fbbcfdd1a10e8c3249b6cd6cc71c1f89924e9a71502508812f

SHA512
b17df0c34df0b236848d315c9d79a60b2a5aeb529b1f6d48ebabac9ef52142f2cf99a18ac6820d121989571a0d00bff070752d0c5832879a554d3b0684d8f700

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1140-161-0x0000000000A50000-0x0000000000A5A000-memory.dmp

Filesize
40KB

Download
memory/3284-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3284-212-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/3976-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4752-188-0x000000000CAF0000-0x000000000D01C000-memory.dmp

Filesize
5.2MB

Download
memory/4752-187-0x000000000C3F0000-0x000000000C5B2000-memory.dmp

Filesize
1.8MB

Download
memory/4752-186-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/4752-185-0x000000000C1D0000-0x000000000C220000-memory.dmp

Filesize
320KB

Download
memory/4752-183-0x000000000AF70000-0x000000000AFD6000-memory.dmp

Filesize
408KB

Download
memory/4752-182-0x000000000BC20000-0x000000000C1C4000-memory.dmp

Filesize
5.6MB

Download
memory/4752-181-0x000000000AED0000-0x000000000AF62000-memory.dmp

Filesize
584KB

Download
memory/4752-180-0x000000000ADB0000-0x000000000AE26000-memory.dmp

Filesize
472KB

Download
memory/4752-179-0x000000000AAB0000-0x000000000AAEC000-memory.dmp

Filesize
240KB

Download
memory/4752-177-0x000000000AA50000-0x000000000AA62000-memory.dmp

Filesize
72KB

Download
memory/4752-178-0x00000000055A0000-0x00000000055B0000-memory.dmp

Filesize
64KB

Download
memory/4752-176-0x000000000AB40000-0x000000000AC4A000-memory.dmp

Filesize
1.0MB

Download
memory/4752-175-0x000000000B050000-0x000000000B668000-memory.dmp

Filesize
6.1MB

Download
memory/4752-174-0x0000000000CC0000-0x0000000000CF0000-memory.dmp

Filesize
192KB

Download