redline | 090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee

Analysis

max time kernel
115s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 13:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe
Size

770KB
MD5

793904a2964f65fd2ff3011489c05fe1
SHA1

37a1e5b88acfc180c65595f5c08e7d063c8f8291
SHA256

090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee
SHA512

f8e683a89901ee2088f97cdab83826b02fe4a3e537ea940a1abf9aaa255a31002c39038f0063f39e6f7df72f187114ad119567dc1802345c320eb75fd37f537e
SSDEEP

12288:+MrBy90X+k1h4IVfm8jx+pCSN1PM9YCPPdjjDSyqzVJJegfWYzCqPCNnKhBkV:HyYmau8jx2CSNxM9blKJLJegfRzEKe

Score

10^/10

redline maxi sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

maxi

83.97.73.129:19068

Attributes

auth_value
6a3f22e5f4209b056a3fd330dc71956a

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exea7101930.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7101930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7101930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7101930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7101930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7101930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7101930.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d0562535.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	d0562535.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v4429897.exev6405415.exev0839689.exea7101930.exeb1529809.exec6621000.exed0562535.exelamod.exee0484319.exelamod.exelamod.exe

pid	process
5108	v4429897.exe
3340	v6405415.exe
4888	v0839689.exe
1356	a7101930.exe
4284	b1529809.exe
3652	c6621000.exe
3856	d0562535.exe
1124	lamod.exe
2280	e0484319.exe
1180	lamod.exe
5040	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1836 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7101930.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7101930.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1836	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7101930.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v4429897.exev6405415.exev0839689.exe090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v4429897.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v4429897.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6405415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6405415.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v0839689.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v0839689.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b1529809.exee0484319.exe

description	pid	process	target process
PID 4284 set thread context of 2020	4284	b1529809.exe	AppLaunch.exe
PID 2280 set thread context of 4204	2280	e0484319.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1576 4284 WerFault.exe b1529809.exe
2108 2280 WerFault.exe e0484319.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4236 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a7101930.exeAppLaunch.exec6621000.exeAppLaunch.exe

pid process

1356 a7101930.exe
1356 a7101930.exe
2020 AppLaunch.exe
2020 AppLaunch.exe
3652 c6621000.exe
3652 c6621000.exe
4204 AppLaunch.exe
4204 AppLaunch.exe

pid	pid_target	process	target process
1576	4284	WerFault.exe	b1529809.exe
2108	2280	WerFault.exe	e0484319.exe

pid	process
4236	schtasks.exe

pid	process
1356	a7101930.exe
1356	a7101930.exe
2020	AppLaunch.exe
2020	AppLaunch.exe
3652	c6621000.exe
3652	c6621000.exe
4204	AppLaunch.exe
4204	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a7101930.exeAppLaunch.exec6621000.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1356	a7101930.exe
Token: SeDebugPrivilege	2020	AppLaunch.exe
Token: SeDebugPrivilege	3652	c6621000.exe
Token: SeDebugPrivilege	4204	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d0562535.exe

pid process

3856 d0562535.exe

pid	process
3856	d0562535.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exev4429897.exev6405415.exev0839689.exeb1529809.exed0562535.exelamod.execmd.exee0484319.exe

description	pid	process	target process
PID 220 wrote to memory of 5108	220	090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe	v4429897.exe
PID 220 wrote to memory of 5108	220	090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe	v4429897.exe
PID 220 wrote to memory of 5108	220	090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe	v4429897.exe
PID 5108 wrote to memory of 3340	5108	v4429897.exe	v6405415.exe
PID 5108 wrote to memory of 3340	5108	v4429897.exe	v6405415.exe
PID 5108 wrote to memory of 3340	5108	v4429897.exe	v6405415.exe
PID 3340 wrote to memory of 4888	3340	v6405415.exe	v0839689.exe
PID 3340 wrote to memory of 4888	3340	v6405415.exe	v0839689.exe
PID 3340 wrote to memory of 4888	3340	v6405415.exe	v0839689.exe
PID 4888 wrote to memory of 1356	4888	v0839689.exe	a7101930.exe
PID 4888 wrote to memory of 1356	4888	v0839689.exe	a7101930.exe
PID 4888 wrote to memory of 4284	4888	v0839689.exe	b1529809.exe
PID 4888 wrote to memory of 4284	4888	v0839689.exe	b1529809.exe
PID 4888 wrote to memory of 4284	4888	v0839689.exe	b1529809.exe
PID 4284 wrote to memory of 2020	4284	b1529809.exe	AppLaunch.exe
PID 4284 wrote to memory of 2020	4284	b1529809.exe	AppLaunch.exe
PID 4284 wrote to memory of 2020	4284	b1529809.exe	AppLaunch.exe
PID 4284 wrote to memory of 2020	4284	b1529809.exe	AppLaunch.exe
PID 4284 wrote to memory of 2020	4284	b1529809.exe	AppLaunch.exe
PID 3340 wrote to memory of 3652	3340	v6405415.exe	c6621000.exe
PID 3340 wrote to memory of 3652	3340	v6405415.exe	c6621000.exe
PID 3340 wrote to memory of 3652	3340	v6405415.exe	c6621000.exe
PID 5108 wrote to memory of 3856	5108	v4429897.exe	d0562535.exe
PID 5108 wrote to memory of 3856	5108	v4429897.exe	d0562535.exe
PID 5108 wrote to memory of 3856	5108	v4429897.exe	d0562535.exe
PID 3856 wrote to memory of 1124	3856	d0562535.exe	lamod.exe
PID 3856 wrote to memory of 1124	3856	d0562535.exe	lamod.exe
PID 3856 wrote to memory of 1124	3856	d0562535.exe	lamod.exe
PID 220 wrote to memory of 2280	220	090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe	e0484319.exe
PID 220 wrote to memory of 2280	220	090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe	e0484319.exe
PID 220 wrote to memory of 2280	220	090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe	e0484319.exe
PID 1124 wrote to memory of 4236	1124	lamod.exe	schtasks.exe
PID 1124 wrote to memory of 4236	1124	lamod.exe	schtasks.exe
PID 1124 wrote to memory of 4236	1124	lamod.exe	schtasks.exe
PID 1124 wrote to memory of 2172	1124	lamod.exe	cmd.exe
PID 1124 wrote to memory of 2172	1124	lamod.exe	cmd.exe
PID 1124 wrote to memory of 2172	1124	lamod.exe	cmd.exe
PID 2172 wrote to memory of 3252	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 3252	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 3252	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 2416	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 2416	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 2416	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 1280	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 1280	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 1280	2172	cmd.exe	cacls.exe
PID 2280 wrote to memory of 4204	2280	e0484319.exe	AppLaunch.exe
PID 2280 wrote to memory of 4204	2280	e0484319.exe	AppLaunch.exe
PID 2280 wrote to memory of 4204	2280	e0484319.exe	AppLaunch.exe
PID 2280 wrote to memory of 4204	2280	e0484319.exe	AppLaunch.exe
PID 2172 wrote to memory of 4192	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 4192	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 4192	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 4928	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 4928	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 4928	2172	cmd.exe	cacls.exe
PID 2280 wrote to memory of 4204	2280	e0484319.exe	AppLaunch.exe
PID 2172 wrote to memory of 1988	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 1988	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 1988	2172	cmd.exe	cacls.exe
PID 1124 wrote to memory of 1836	1124	lamod.exe	rundll32.exe
PID 1124 wrote to memory of 1836	1124	lamod.exe	rundll32.exe
PID 1124 wrote to memory of 1836	1124	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe
"C:\Users\Admin\AppData\Local\Temp\090d30b5732a364d831c908a2c88acf45e5fa847370a3e2005a09b52543f70ee.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:220

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4429897.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4429897.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5108

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6405415.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6405415.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3340

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0839689.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0839689.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7101930.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7101930.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1529809.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1529809.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4284 -s 156
6⤵
- Program crash
PID:1576

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6621000.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6621000.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0562535.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0562535.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3856

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:4236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3252

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:2416

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:1280

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:4928

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4192

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:1988

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:1836

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0484319.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0484319.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 152
3⤵
- Program crash
PID:2108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4284 -ip 4284
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2280 -ip 2280
1⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:1180

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:5040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0484319.exe
Filesize
308KB

MD5
0debd667fc423afd091db1ecd396ce56

SHA1
72afeaa65d5b10475b7b208ab0efcc4095ce4f72

SHA256
b225c1d6c1b7669d3ad4a977f39a5185769d12fa3f898e6d9d973e4eabbd2978

SHA512
b5e52bc03f05c07b42972c2c394cff7b6019e31fcdb0155f88d871beeaba4d06c2935ddd83637d98a1132145c124afc02a6db0d3e3f31fa03be2c422dbe22bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e0484319.exe
Filesize
308KB

MD5
0debd667fc423afd091db1ecd396ce56

SHA1
72afeaa65d5b10475b7b208ab0efcc4095ce4f72

SHA256
b225c1d6c1b7669d3ad4a977f39a5185769d12fa3f898e6d9d973e4eabbd2978

SHA512
b5e52bc03f05c07b42972c2c394cff7b6019e31fcdb0155f88d871beeaba4d06c2935ddd83637d98a1132145c124afc02a6db0d3e3f31fa03be2c422dbe22bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4429897.exe
Filesize
548KB

MD5
08f5d2097075f81b25675810dab07e75

SHA1
255057e8aff88a6823269e3f8e9946022a245e2c

SHA256
ac8fea985d20f5034b650d5d98176eae8dad3b58238fc88d21d0a32cf205e741

SHA512
931c398fd9d9d50af0def3e846210637c7f39ec72ca6d9c76e19037616dc4f376a29d3b3bc3620104bb674c0307e032281babeafcdd0daab30345ddafdb936e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v4429897.exe
Filesize
548KB

MD5
08f5d2097075f81b25675810dab07e75

SHA1
255057e8aff88a6823269e3f8e9946022a245e2c

SHA256
ac8fea985d20f5034b650d5d98176eae8dad3b58238fc88d21d0a32cf205e741

SHA512
931c398fd9d9d50af0def3e846210637c7f39ec72ca6d9c76e19037616dc4f376a29d3b3bc3620104bb674c0307e032281babeafcdd0daab30345ddafdb936e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0562535.exe
Filesize
208KB

MD5
b689793eb50b05f29d5da9ac50d46149

SHA1
f9f3268d5453f08ae11d38aeed1e7cabefbf21f2

SHA256
32d89d781b506e45124924d508c59997e02a816adfb5b047cdaf425cf42bdcd8

SHA512
8402f52f1d70aee7fc0409561594b85c48296e050fb5647d21e4d18637a234eeb0d2c8893989637beec49c8aa2f19cba2d35d3b41750b5d611c99d6264aa58e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d0562535.exe
Filesize
208KB

MD5
b689793eb50b05f29d5da9ac50d46149

SHA1
f9f3268d5453f08ae11d38aeed1e7cabefbf21f2

SHA256
32d89d781b506e45124924d508c59997e02a816adfb5b047cdaf425cf42bdcd8

SHA512
8402f52f1d70aee7fc0409561594b85c48296e050fb5647d21e4d18637a234eeb0d2c8893989637beec49c8aa2f19cba2d35d3b41750b5d611c99d6264aa58e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6405415.exe
Filesize
376KB

MD5
d67bf19d169bb3ff429cd1dca5361304

SHA1
1289762a81d239239909de850f17908356e8a825

SHA256
f4e0dc1fa5653a8f4fdfb0c00e543aabdf020ce3cd1d9c6c25197c030061065e

SHA512
504ec7fd7f1411ec826490f59422e67b5814d0e4c03a462f2984ff5a060f9641e229e349bd00c704d25e6e7724c6415f403c964f6eb91aebf30bcb273d968353

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6405415.exe
Filesize
376KB

MD5
d67bf19d169bb3ff429cd1dca5361304

SHA1
1289762a81d239239909de850f17908356e8a825

SHA256
f4e0dc1fa5653a8f4fdfb0c00e543aabdf020ce3cd1d9c6c25197c030061065e

SHA512
504ec7fd7f1411ec826490f59422e67b5814d0e4c03a462f2984ff5a060f9641e229e349bd00c704d25e6e7724c6415f403c964f6eb91aebf30bcb273d968353

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6621000.exe
Filesize
172KB

MD5
75b265a414ddda04767fb5a25d7a2cbf

SHA1
a82e23b81d7bb6398504c876927fa8d6a7ecbf17

SHA256
8a20f7b45916c24523b1288b3acfe51a4652d80878aa0165795931f83974fcb4

SHA512
f455ac6aa112f9ccb7c4cfac4ccd1af8f013b87e1fc23005704db517bb067eb1456e03a9a6d79ff89344bcf0a2255cb373658686b91d2941f907f1dd2446bba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c6621000.exe
Filesize
172KB

MD5
75b265a414ddda04767fb5a25d7a2cbf

SHA1
a82e23b81d7bb6398504c876927fa8d6a7ecbf17

SHA256
8a20f7b45916c24523b1288b3acfe51a4652d80878aa0165795931f83974fcb4

SHA512
f455ac6aa112f9ccb7c4cfac4ccd1af8f013b87e1fc23005704db517bb067eb1456e03a9a6d79ff89344bcf0a2255cb373658686b91d2941f907f1dd2446bba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0839689.exe
Filesize
220KB

MD5
f122cc64485ef6ff69ca71eb28eb79c6

SHA1
60d774232dcee1efedbd02ec33f0cee78754edc2

SHA256
0d447a4bf4405abfeafee4b01f15aab83e61e672b5b4ad78b567a24a36036747

SHA512
0069afcd658db29f8c19d621eb76ea54405e3ae94754c20846dddd7188896aeeee0fe8b35aadf72d2e719ebd6d4bc7d5442d3349ab6ebbab7a78c5f00769c726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v0839689.exe
Filesize
220KB

MD5
f122cc64485ef6ff69ca71eb28eb79c6

SHA1
60d774232dcee1efedbd02ec33f0cee78754edc2

SHA256
0d447a4bf4405abfeafee4b01f15aab83e61e672b5b4ad78b567a24a36036747

SHA512
0069afcd658db29f8c19d621eb76ea54405e3ae94754c20846dddd7188896aeeee0fe8b35aadf72d2e719ebd6d4bc7d5442d3349ab6ebbab7a78c5f00769c726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7101930.exe
Filesize
14KB

MD5
29a053015c1ba739fb7b58867c14a257

SHA1
906249bf29238dc37b210e570fe40fa0bf9f44bf

SHA256
b2af0eac0ab3bfbe3170bbd75920d9aa98beffef0b6a7acfbe0b381c55c9b01f

SHA512
d9c9f204c4146113efd2fd9fa0908087a644d2431f823618839af2f4afd8d5d50f0e9aaf7328fb230601d48756b9eca6669a0ca30738e749747df29037ff43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7101930.exe
Filesize
14KB

MD5
29a053015c1ba739fb7b58867c14a257

SHA1
906249bf29238dc37b210e570fe40fa0bf9f44bf

SHA256
b2af0eac0ab3bfbe3170bbd75920d9aa98beffef0b6a7acfbe0b381c55c9b01f

SHA512
d9c9f204c4146113efd2fd9fa0908087a644d2431f823618839af2f4afd8d5d50f0e9aaf7328fb230601d48756b9eca6669a0ca30738e749747df29037ff43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1529809.exe
Filesize
147KB

MD5
a7419792d0f8da4f798c4b1afe5a0b93

SHA1
2c154f384c8b7f112b74970eaa81cc5fffc0c95e

SHA256
b10754398b305a52ba0384e84c9d80667b151a96b67b0d29cc010612c5361fcf

SHA512
46e420a764c71483f44023e191c8d306ff5497b05b460b1ac5be077aa674d1010330e86cddf924dca97dc4753c68c4f2a8b7250a1831606de4949d88c08e94c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b1529809.exe
Filesize
147KB

MD5
a7419792d0f8da4f798c4b1afe5a0b93

SHA1
2c154f384c8b7f112b74970eaa81cc5fffc0c95e

SHA256
b10754398b305a52ba0384e84c9d80667b151a96b67b0d29cc010612c5361fcf

SHA512
46e420a764c71483f44023e191c8d306ff5497b05b460b1ac5be077aa674d1010330e86cddf924dca97dc4753c68c4f2a8b7250a1831606de4949d88c08e94c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
b689793eb50b05f29d5da9ac50d46149

SHA1
f9f3268d5453f08ae11d38aeed1e7cabefbf21f2

SHA256
32d89d781b506e45124924d508c59997e02a816adfb5b047cdaf425cf42bdcd8

SHA512
8402f52f1d70aee7fc0409561594b85c48296e050fb5647d21e4d18637a234eeb0d2c8893989637beec49c8aa2f19cba2d35d3b41750b5d611c99d6264aa58e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
b689793eb50b05f29d5da9ac50d46149

SHA1
f9f3268d5453f08ae11d38aeed1e7cabefbf21f2

SHA256
32d89d781b506e45124924d508c59997e02a816adfb5b047cdaf425cf42bdcd8

SHA512
8402f52f1d70aee7fc0409561594b85c48296e050fb5647d21e4d18637a234eeb0d2c8893989637beec49c8aa2f19cba2d35d3b41750b5d611c99d6264aa58e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
b689793eb50b05f29d5da9ac50d46149

SHA1
f9f3268d5453f08ae11d38aeed1e7cabefbf21f2

SHA256
32d89d781b506e45124924d508c59997e02a816adfb5b047cdaf425cf42bdcd8

SHA512
8402f52f1d70aee7fc0409561594b85c48296e050fb5647d21e4d18637a234eeb0d2c8893989637beec49c8aa2f19cba2d35d3b41750b5d611c99d6264aa58e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
b689793eb50b05f29d5da9ac50d46149

SHA1
f9f3268d5453f08ae11d38aeed1e7cabefbf21f2

SHA256
32d89d781b506e45124924d508c59997e02a816adfb5b047cdaf425cf42bdcd8

SHA512
8402f52f1d70aee7fc0409561594b85c48296e050fb5647d21e4d18637a234eeb0d2c8893989637beec49c8aa2f19cba2d35d3b41750b5d611c99d6264aa58e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
b689793eb50b05f29d5da9ac50d46149

SHA1
f9f3268d5453f08ae11d38aeed1e7cabefbf21f2

SHA256
32d89d781b506e45124924d508c59997e02a816adfb5b047cdaf425cf42bdcd8

SHA512
8402f52f1d70aee7fc0409561594b85c48296e050fb5647d21e4d18637a234eeb0d2c8893989637beec49c8aa2f19cba2d35d3b41750b5d611c99d6264aa58e2

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1356-161-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/2020-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3652-180-0x000000000B030000-0x000000000B0A6000-memory.dmp

Filesize
472KB

Download
memory/3652-181-0x000000000B150000-0x000000000B1E2000-memory.dmp

Filesize
584KB

Download
memory/3652-186-0x000000000C7D0000-0x000000000C992000-memory.dmp

Filesize
1.8MB

Download
memory/3652-184-0x000000000BD70000-0x000000000BDC0000-memory.dmp

Filesize
320KB

Download
memory/3652-188-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/3652-182-0x000000000B0B0000-0x000000000B116000-memory.dmp

Filesize
408KB

Download
memory/3652-187-0x000000000CED0000-0x000000000D3FC000-memory.dmp

Filesize
5.2MB

Download
memory/3652-174-0x0000000000E00000-0x0000000000E30000-memory.dmp

Filesize
192KB

Download
memory/3652-183-0x000000000C220000-0x000000000C7C4000-memory.dmp

Filesize
5.6MB

Download
memory/3652-175-0x000000000B210000-0x000000000B828000-memory.dmp

Filesize
6.1MB

Download
memory/3652-179-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/3652-178-0x000000000AD20000-0x000000000AD5C000-memory.dmp

Filesize
240KB

Download
memory/3652-177-0x000000000ACC0000-0x000000000ACD2000-memory.dmp

Filesize
72KB

Download
memory/3652-176-0x000000000AD80000-0x000000000AE8A000-memory.dmp

Filesize
1.0MB

Download
memory/4204-212-0x0000000004BA0000-0x0000000004BB0000-memory.dmp

Filesize
64KB

Download
memory/4204-206-0x0000000000580000-0x00000000005B0000-memory.dmp

Filesize
192KB

Download