redline | d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065

Analysis

max time kernel
104s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe
Size

770KB
MD5

671a8276ed05adf5bf8a2bc9905bcd2f
SHA1

761976201c44f0920b84449c897dc4542c865540
SHA256

d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065
SHA512

9bee98aa217d23072aeb5b23ea0f3a2c8cd7a801042b788e9e062b46783fb48af4ecefdbe7a5e0a95cbb31958b49fcf38b1c2d05376099e4f5b04030809794f3
SSDEEP

12288:zMrGy907pH0vWpxZupbVqYHBMnObY0NarjzYMNLnJNsAkxQ:ZyiHMUCpbNMnObYbsMpDcm

Score

10^/10

redline diza sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exek4900328.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k4900328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k4900328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k4900328.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k4900328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k4900328.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k4900328.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3666231.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3666231.exe	family_redline
behavioral1/memory/1944-175-0x0000000000C60000-0x0000000000C90000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

m4557860.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	m4557860.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

y0264254.exey0923177.exey3784571.exej8883443.exek4900328.exel3666231.exem4557860.exelamod.exen3338729.exelamod.exelamod.exe

pid	process
3232	y0264254.exe
3800	y0923177.exe
1228	y3784571.exe
1080	j8883443.exe
1384	k4900328.exe
1944	l3666231.exe
4236	m4557860.exe
4684	lamod.exe
5028	n3338729.exe
1984	lamod.exe
4812	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4276 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

k4900328.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k4900328.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4276	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k4900328.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y0923177.exey3784571.exed9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exey0264254.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0923177.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0923177.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3784571.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y3784571.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0264254.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0264254.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

j8883443.exen3338729.exe

description	pid	process	target process
PID 1080 set thread context of 2572	1080	j8883443.exe	AppLaunch.exe
PID 5028 set thread context of 2496	5028	n3338729.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4860 1080 WerFault.exe j8883443.exe
2344 5028 WerFault.exe n3338729.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4436 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exek4900328.exel3666231.exeAppLaunch.exe

pid process

2572 AppLaunch.exe
2572 AppLaunch.exe
1384 k4900328.exe
1384 k4900328.exe
1944 l3666231.exe
1944 l3666231.exe
2496 AppLaunch.exe
2496 AppLaunch.exe

pid	pid_target	process	target process
4860	1080	WerFault.exe	j8883443.exe
2344	5028	WerFault.exe	n3338729.exe

pid	process
4436	schtasks.exe

pid	process
2572	AppLaunch.exe
2572	AppLaunch.exe
1384	k4900328.exe
1384	k4900328.exe
1944	l3666231.exe
1944	l3666231.exe
2496	AppLaunch.exe
2496	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AppLaunch.exek4900328.exel3666231.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	2572	AppLaunch.exe
Token: SeDebugPrivilege	1384	k4900328.exe
Token: SeDebugPrivilege	1944	l3666231.exe
Token: SeDebugPrivilege	2496	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

m4557860.exe

pid process

4236 m4557860.exe

pid	process
4236	m4557860.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exey0264254.exey0923177.exey3784571.exej8883443.exem4557860.exelamod.execmd.exen3338729.exe

description	pid	process	target process
PID 3604 wrote to memory of 3232	3604	d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe	y0264254.exe
PID 3604 wrote to memory of 3232	3604	d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe	y0264254.exe
PID 3604 wrote to memory of 3232	3604	d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe	y0264254.exe
PID 3232 wrote to memory of 3800	3232	y0264254.exe	y0923177.exe
PID 3232 wrote to memory of 3800	3232	y0264254.exe	y0923177.exe
PID 3232 wrote to memory of 3800	3232	y0264254.exe	y0923177.exe
PID 3800 wrote to memory of 1228	3800	y0923177.exe	y3784571.exe
PID 3800 wrote to memory of 1228	3800	y0923177.exe	y3784571.exe
PID 3800 wrote to memory of 1228	3800	y0923177.exe	y3784571.exe
PID 1228 wrote to memory of 1080	1228	y3784571.exe	j8883443.exe
PID 1228 wrote to memory of 1080	1228	y3784571.exe	j8883443.exe
PID 1228 wrote to memory of 1080	1228	y3784571.exe	j8883443.exe
PID 1080 wrote to memory of 2572	1080	j8883443.exe	AppLaunch.exe
PID 1080 wrote to memory of 2572	1080	j8883443.exe	AppLaunch.exe
PID 1080 wrote to memory of 2572	1080	j8883443.exe	AppLaunch.exe
PID 1080 wrote to memory of 2572	1080	j8883443.exe	AppLaunch.exe
PID 1080 wrote to memory of 2572	1080	j8883443.exe	AppLaunch.exe
PID 1228 wrote to memory of 1384	1228	y3784571.exe	k4900328.exe
PID 1228 wrote to memory of 1384	1228	y3784571.exe	k4900328.exe
PID 3800 wrote to memory of 1944	3800	y0923177.exe	l3666231.exe
PID 3800 wrote to memory of 1944	3800	y0923177.exe	l3666231.exe
PID 3800 wrote to memory of 1944	3800	y0923177.exe	l3666231.exe
PID 3232 wrote to memory of 4236	3232	y0264254.exe	m4557860.exe
PID 3232 wrote to memory of 4236	3232	y0264254.exe	m4557860.exe
PID 3232 wrote to memory of 4236	3232	y0264254.exe	m4557860.exe
PID 4236 wrote to memory of 4684	4236	m4557860.exe	lamod.exe
PID 4236 wrote to memory of 4684	4236	m4557860.exe	lamod.exe
PID 4236 wrote to memory of 4684	4236	m4557860.exe	lamod.exe
PID 3604 wrote to memory of 5028	3604	d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe	n3338729.exe
PID 3604 wrote to memory of 5028	3604	d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe	n3338729.exe
PID 3604 wrote to memory of 5028	3604	d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe	n3338729.exe
PID 4684 wrote to memory of 4436	4684	lamod.exe	schtasks.exe
PID 4684 wrote to memory of 4436	4684	lamod.exe	schtasks.exe
PID 4684 wrote to memory of 4436	4684	lamod.exe	schtasks.exe
PID 4684 wrote to memory of 2352	4684	lamod.exe	cmd.exe
PID 4684 wrote to memory of 2352	4684	lamod.exe	cmd.exe
PID 4684 wrote to memory of 2352	4684	lamod.exe	cmd.exe
PID 2352 wrote to memory of 5072	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 5072	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 5072	2352	cmd.exe	cmd.exe
PID 5028 wrote to memory of 2496	5028	n3338729.exe	AppLaunch.exe
PID 5028 wrote to memory of 2496	5028	n3338729.exe	AppLaunch.exe
PID 5028 wrote to memory of 2496	5028	n3338729.exe	AppLaunch.exe
PID 2352 wrote to memory of 3884	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3884	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3884	2352	cmd.exe	cacls.exe
PID 5028 wrote to memory of 2496	5028	n3338729.exe	AppLaunch.exe
PID 5028 wrote to memory of 2496	5028	n3338729.exe	AppLaunch.exe
PID 2352 wrote to memory of 3200	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3200	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3200	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 4744	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4744	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 4744	2352	cmd.exe	cmd.exe
PID 2352 wrote to memory of 1376	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 1376	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 1376	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3444	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3444	2352	cmd.exe	cacls.exe
PID 2352 wrote to memory of 3444	2352	cmd.exe	cacls.exe
PID 4684 wrote to memory of 4276	4684	lamod.exe	rundll32.exe
PID 4684 wrote to memory of 4276	4684	lamod.exe	rundll32.exe
PID 4684 wrote to memory of 4276	4684	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe
"C:\Users\Admin\AppData\Local\Temp\d9b7235181c32eb7eef739de3faca5669d67633dbda8b3cec7f5adfcfbe42065.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3604

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0264254.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0264254.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0923177.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0923177.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3800

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3784571.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3784571.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8883443.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8883443.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 156
6⤵
- Program crash
PID:4860

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k4900328.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k4900328.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3666231.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3666231.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4557860.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4557860.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:4436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:5072

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:3884

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:3200

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:1376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4744

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:3444

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:4276

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3338729.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3338729.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 160
3⤵
- Program crash
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1080 -ip 1080
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 5028 -ip 5028
1⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4812

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3338729.exe
Filesize
308KB

MD5
301ff404fb6b147e2af1d9957542ea70

SHA1
4c18763b64e0620608d1a9561c980c589553ca79

SHA256
67a4af74b056f22b7a19cc77f6690bb628248483af07d264df39ff4b86649f60

SHA512
0941854ff530cead18bb2d2cbfc6ba795c6cf0055e88cf75eae4e46461b84d50c8c9433cbd66ecd7742caf7795507e5cd2e98d9942a9f100caa66ac2f6b9319c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n3338729.exe
Filesize
308KB

MD5
301ff404fb6b147e2af1d9957542ea70

SHA1
4c18763b64e0620608d1a9561c980c589553ca79

SHA256
67a4af74b056f22b7a19cc77f6690bb628248483af07d264df39ff4b86649f60

SHA512
0941854ff530cead18bb2d2cbfc6ba795c6cf0055e88cf75eae4e46461b84d50c8c9433cbd66ecd7742caf7795507e5cd2e98d9942a9f100caa66ac2f6b9319c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0264254.exe
Filesize
548KB

MD5
dfc7e31f40888c232d23765df9a41f91

SHA1
17f7a27ef50e203bda957990b780fb4ef704d853

SHA256
e0f7085d486d3b020dce8ab33ed3f709b124b42c467dda6945eadf199a4ae9f4

SHA512
9ce2b69879a64dd98c6aa09e3a23ca85493105f3d474bf51891f97a337a88cdb99898da86c523983218b0f035c797a0ae7652dd7a5ece9c6e78475290bc1b6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0264254.exe
Filesize
548KB

MD5
dfc7e31f40888c232d23765df9a41f91

SHA1
17f7a27ef50e203bda957990b780fb4ef704d853

SHA256
e0f7085d486d3b020dce8ab33ed3f709b124b42c467dda6945eadf199a4ae9f4

SHA512
9ce2b69879a64dd98c6aa09e3a23ca85493105f3d474bf51891f97a337a88cdb99898da86c523983218b0f035c797a0ae7652dd7a5ece9c6e78475290bc1b6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4557860.exe
Filesize
208KB

MD5
af00571bc79691b389a6fc12be8fea28

SHA1
269ae96ba7343a3a4f1a647fc69fcdc9d81c221a

SHA256
3f6e3833d3f7df6cc562c9720c70fb399dd4e060dd49cac5ca4c7db67249c356

SHA512
2401ab02af51130c569d5583172b23556ee3b35a42070d400bd3904426261774591984316e047f2b863f96ea31307ee8f8fe50f49a7168c28aa382cf9820278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4557860.exe
Filesize
208KB

MD5
af00571bc79691b389a6fc12be8fea28

SHA1
269ae96ba7343a3a4f1a647fc69fcdc9d81c221a

SHA256
3f6e3833d3f7df6cc562c9720c70fb399dd4e060dd49cac5ca4c7db67249c356

SHA512
2401ab02af51130c569d5583172b23556ee3b35a42070d400bd3904426261774591984316e047f2b863f96ea31307ee8f8fe50f49a7168c28aa382cf9820278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0923177.exe
Filesize
376KB

MD5
effc3f99660d14ca9c90232dc90e854b

SHA1
37d98712f3358719eb395406d5cc6a3eea3a5115

SHA256
677eebc6275c517742d170e7466881d57b4d865c3b87aba07f85ab2ad85d139e

SHA512
7f28e4613b92b818dac8acdbbe1af0c8a9664b1ec3f42551b5846314f8b573684eddf4cd8ec796fd7dea1393e90c0205595a7f845f02205a88e9194071c0d42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0923177.exe
Filesize
376KB

MD5
effc3f99660d14ca9c90232dc90e854b

SHA1
37d98712f3358719eb395406d5cc6a3eea3a5115

SHA256
677eebc6275c517742d170e7466881d57b4d865c3b87aba07f85ab2ad85d139e

SHA512
7f28e4613b92b818dac8acdbbe1af0c8a9664b1ec3f42551b5846314f8b573684eddf4cd8ec796fd7dea1393e90c0205595a7f845f02205a88e9194071c0d42a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3666231.exe
Filesize
173KB

MD5
347b4efd0546b3b8c586c5fd67afc712

SHA1
a9f58196eb7b73a03d965ac0d92a007e63c2cf2e

SHA256
bcb5e3545bfd7cee7d04bbcb9a62ae3c915212b520c8047516436b0b0b8de2f2

SHA512
43de425af3d03be27e80583c12e70fc4454e31b2447fbbf255454280f7a18e3c4f7e57588b0aaae566275f96147340185f971081a0602d706f1b0b4b6f04b5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l3666231.exe
Filesize
173KB

MD5
347b4efd0546b3b8c586c5fd67afc712

SHA1
a9f58196eb7b73a03d965ac0d92a007e63c2cf2e

SHA256
bcb5e3545bfd7cee7d04bbcb9a62ae3c915212b520c8047516436b0b0b8de2f2

SHA512
43de425af3d03be27e80583c12e70fc4454e31b2447fbbf255454280f7a18e3c4f7e57588b0aaae566275f96147340185f971081a0602d706f1b0b4b6f04b5ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3784571.exe
Filesize
220KB

MD5
ea4e661f4a0845299ddd6413defb45be

SHA1
677977eae5835b7c2e4abea8299d77f25d2327b5

SHA256
e5f59969021f87fb588f1024d7ac397c911d3e0ffb71a3eb4f3f3563f3da905f

SHA512
149159c279770cf35a9c652ae7db0975fb4a5ca9802fb56d564f0e9b019b9cf3b1b577daf15ecd0ce1f24f2c68df20dd51be6a92733d154bfe233874424ca10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3784571.exe
Filesize
220KB

MD5
ea4e661f4a0845299ddd6413defb45be

SHA1
677977eae5835b7c2e4abea8299d77f25d2327b5

SHA256
e5f59969021f87fb588f1024d7ac397c911d3e0ffb71a3eb4f3f3563f3da905f

SHA512
149159c279770cf35a9c652ae7db0975fb4a5ca9802fb56d564f0e9b019b9cf3b1b577daf15ecd0ce1f24f2c68df20dd51be6a92733d154bfe233874424ca10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8883443.exe
Filesize
147KB

MD5
2b983d4e43ea39703b38d4892a8638d1

SHA1
2af044e4ae5a6b6ff098b47ed6dc3acf9442a0c2

SHA256
1903484aa7d469f2bddcc6bea4140db7da997f8ca0faf13f7a9d83188c2899d4

SHA512
980cd21f20e37d4c6719e2096609a1ea6024e2752d85b5f28b228b87f129590254cc0334f3e2231203f0d29085f5aec0a072a9a0580681c3b6066ce51d1dcb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8883443.exe
Filesize
147KB

MD5
2b983d4e43ea39703b38d4892a8638d1

SHA1
2af044e4ae5a6b6ff098b47ed6dc3acf9442a0c2

SHA256
1903484aa7d469f2bddcc6bea4140db7da997f8ca0faf13f7a9d83188c2899d4

SHA512
980cd21f20e37d4c6719e2096609a1ea6024e2752d85b5f28b228b87f129590254cc0334f3e2231203f0d29085f5aec0a072a9a0580681c3b6066ce51d1dcb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k4900328.exe
Filesize
14KB

MD5
a61ed26a7d3ae84903c53c59b2f8f2dc

SHA1
3723a35e2f23b0cc6a4b39d2b2f79c9e81c00a01

SHA256
eb7fb085c7ab5346207f11e24f3b28639d05a29cf89fdec893e27888d634644d

SHA512
49b25892872892c0c5c045c7507f67a3ce40ea359f511f69980ba385a07a6d5a3ab86556cf872e9d60bc533f29e1239c7ffe6abc15caa7a4c432f33bee9ea0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k4900328.exe
Filesize
14KB

MD5
a61ed26a7d3ae84903c53c59b2f8f2dc

SHA1
3723a35e2f23b0cc6a4b39d2b2f79c9e81c00a01

SHA256
eb7fb085c7ab5346207f11e24f3b28639d05a29cf89fdec893e27888d634644d

SHA512
49b25892872892c0c5c045c7507f67a3ce40ea359f511f69980ba385a07a6d5a3ab86556cf872e9d60bc533f29e1239c7ffe6abc15caa7a4c432f33bee9ea0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
af00571bc79691b389a6fc12be8fea28

SHA1
269ae96ba7343a3a4f1a647fc69fcdc9d81c221a

SHA256
3f6e3833d3f7df6cc562c9720c70fb399dd4e060dd49cac5ca4c7db67249c356

SHA512
2401ab02af51130c569d5583172b23556ee3b35a42070d400bd3904426261774591984316e047f2b863f96ea31307ee8f8fe50f49a7168c28aa382cf9820278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
af00571bc79691b389a6fc12be8fea28

SHA1
269ae96ba7343a3a4f1a647fc69fcdc9d81c221a

SHA256
3f6e3833d3f7df6cc562c9720c70fb399dd4e060dd49cac5ca4c7db67249c356

SHA512
2401ab02af51130c569d5583172b23556ee3b35a42070d400bd3904426261774591984316e047f2b863f96ea31307ee8f8fe50f49a7168c28aa382cf9820278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
af00571bc79691b389a6fc12be8fea28

SHA1
269ae96ba7343a3a4f1a647fc69fcdc9d81c221a

SHA256
3f6e3833d3f7df6cc562c9720c70fb399dd4e060dd49cac5ca4c7db67249c356

SHA512
2401ab02af51130c569d5583172b23556ee3b35a42070d400bd3904426261774591984316e047f2b863f96ea31307ee8f8fe50f49a7168c28aa382cf9820278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
af00571bc79691b389a6fc12be8fea28

SHA1
269ae96ba7343a3a4f1a647fc69fcdc9d81c221a

SHA256
3f6e3833d3f7df6cc562c9720c70fb399dd4e060dd49cac5ca4c7db67249c356

SHA512
2401ab02af51130c569d5583172b23556ee3b35a42070d400bd3904426261774591984316e047f2b863f96ea31307ee8f8fe50f49a7168c28aa382cf9820278a

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
af00571bc79691b389a6fc12be8fea28

SHA1
269ae96ba7343a3a4f1a647fc69fcdc9d81c221a

SHA256
3f6e3833d3f7df6cc562c9720c70fb399dd4e060dd49cac5ca4c7db67249c356

SHA512
2401ab02af51130c569d5583172b23556ee3b35a42070d400bd3904426261774591984316e047f2b863f96ea31307ee8f8fe50f49a7168c28aa382cf9820278a

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/1384-169-0x00000000009C0000-0x00000000009CA000-memory.dmp

Filesize
40KB

Download
memory/1944-178-0x000000000AB20000-0x000000000AB32000-memory.dmp

Filesize
72KB

Download
memory/1944-184-0x000000000B050000-0x000000000B0B6000-memory.dmp

Filesize
408KB

Download
memory/1944-175-0x0000000000C60000-0x0000000000C90000-memory.dmp

Filesize
192KB

Download
memory/1944-185-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/1944-180-0x000000000AB80000-0x000000000ABBC000-memory.dmp

Filesize
240KB

Download
memory/1944-183-0x000000000BCA0000-0x000000000C244000-memory.dmp

Filesize
5.6MB

Download
memory/1944-182-0x000000000AFB0000-0x000000000B042000-memory.dmp

Filesize
584KB

Download
memory/1944-176-0x000000000B0D0000-0x000000000B6E8000-memory.dmp

Filesize
6.1MB

Download
memory/1944-186-0x000000000C2A0000-0x000000000C2F0000-memory.dmp

Filesize
320KB

Download
memory/1944-187-0x000000000C4C0000-0x000000000C682000-memory.dmp

Filesize
1.8MB

Download
memory/1944-181-0x000000000AE90000-0x000000000AF06000-memory.dmp

Filesize
472KB

Download
memory/1944-179-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/1944-188-0x000000000CBC0000-0x000000000D0EC000-memory.dmp

Filesize
5.2MB

Download
memory/1944-177-0x000000000ABE0000-0x000000000ACEA000-memory.dmp

Filesize
1.0MB

Download
memory/2496-212-0x00000000050E0000-0x00000000050F0000-memory.dmp

Filesize
64KB

Download
memory/2496-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2572-161-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download