redline | 78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415

Analysis

max time kernel
96s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe
Size

771KB
MD5

d823e2956687ad173049f12b304d8ff8
SHA1

b05fc139d9eddd5211881a8c9c3776cb301c2d74
SHA256

78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415
SHA512

9e873973f190f72b98bd0015482bffd5fab1fec5c65fb60de9aba2622d5d012330a9ae4f494e8d3c4b06fb11d9a38a1fe5a061087c74ccb9fdc9c4d40de02f0e
SSDEEP

12288:oMrwy90eX/81pNgH4JX2hOudBqkwMdHuuT2AthuZduM3/Olk3DvzDhD33AEL6:IyxvPVZQAuuT2Ati/Olk3HDhDd6

Score

10^/10

redline diza sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exek1702304.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1702304.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1702304.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k1702304.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1702304.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1702304.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1702304.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5380084.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5380084.exe	family_redline
behavioral1/memory/740-175-0x0000000000B90000-0x0000000000BC0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

m1640606.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	m1640606.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

y0964228.exey3695578.exey0997090.exej0298894.exek1702304.exel5380084.exem1640606.exelamod.exen2682414.exelamod.exelamod.exe

pid	process
2628	y0964228.exe
4840	y3695578.exe
3756	y0997090.exe
1808	j0298894.exe
1788	k1702304.exe
740	l5380084.exe
912	m1640606.exe
1624	lamod.exe
4368	n2682414.exe
3036	lamod.exe
1784	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4912 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

k1702304.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k1702304.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4912	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1702304.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exey0964228.exey3695578.exey0997090.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0964228.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0964228.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3695578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y3695578.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0997090.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y0997090.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

j0298894.exen2682414.exe

description	pid	process	target process
PID 1808 set thread context of 4348	1808	j0298894.exe	AppLaunch.exe
PID 4368 set thread context of 4248	4368	n2682414.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2656 1808 WerFault.exe j0298894.exe
4148 4368 WerFault.exe n2682414.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1228 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exek1702304.exel5380084.exeAppLaunch.exe

pid process

4348 AppLaunch.exe
4348 AppLaunch.exe
1788 k1702304.exe
1788 k1702304.exe
740 l5380084.exe
740 l5380084.exe
4248 AppLaunch.exe
4248 AppLaunch.exe

pid	pid_target	process	target process
2656	1808	WerFault.exe	j0298894.exe
4148	4368	WerFault.exe	n2682414.exe

pid	process
1228	schtasks.exe

pid	process
4348	AppLaunch.exe
4348	AppLaunch.exe
1788	k1702304.exe
1788	k1702304.exe
740	l5380084.exe
740	l5380084.exe
4248	AppLaunch.exe
4248	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AppLaunch.exek1702304.exel5380084.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4348	AppLaunch.exe
Token: SeDebugPrivilege	1788	k1702304.exe
Token: SeDebugPrivilege	740	l5380084.exe
Token: SeDebugPrivilege	4248	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

m1640606.exe

pid process

912 m1640606.exe

pid	process
912	m1640606.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exey0964228.exey3695578.exey0997090.exej0298894.exem1640606.exelamod.exen2682414.execmd.exe

description	pid	process	target process
PID 2120 wrote to memory of 2628	2120	78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe	y0964228.exe
PID 2120 wrote to memory of 2628	2120	78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe	y0964228.exe
PID 2120 wrote to memory of 2628	2120	78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe	y0964228.exe
PID 2628 wrote to memory of 4840	2628	y0964228.exe	y3695578.exe
PID 2628 wrote to memory of 4840	2628	y0964228.exe	y3695578.exe
PID 2628 wrote to memory of 4840	2628	y0964228.exe	y3695578.exe
PID 4840 wrote to memory of 3756	4840	y3695578.exe	y0997090.exe
PID 4840 wrote to memory of 3756	4840	y3695578.exe	y0997090.exe
PID 4840 wrote to memory of 3756	4840	y3695578.exe	y0997090.exe
PID 3756 wrote to memory of 1808	3756	y0997090.exe	j0298894.exe
PID 3756 wrote to memory of 1808	3756	y0997090.exe	j0298894.exe
PID 3756 wrote to memory of 1808	3756	y0997090.exe	j0298894.exe
PID 1808 wrote to memory of 4348	1808	j0298894.exe	AppLaunch.exe
PID 1808 wrote to memory of 4348	1808	j0298894.exe	AppLaunch.exe
PID 1808 wrote to memory of 4348	1808	j0298894.exe	AppLaunch.exe
PID 1808 wrote to memory of 4348	1808	j0298894.exe	AppLaunch.exe
PID 1808 wrote to memory of 4348	1808	j0298894.exe	AppLaunch.exe
PID 3756 wrote to memory of 1788	3756	y0997090.exe	k1702304.exe
PID 3756 wrote to memory of 1788	3756	y0997090.exe	k1702304.exe
PID 4840 wrote to memory of 740	4840	y3695578.exe	l5380084.exe
PID 4840 wrote to memory of 740	4840	y3695578.exe	l5380084.exe
PID 4840 wrote to memory of 740	4840	y3695578.exe	l5380084.exe
PID 2628 wrote to memory of 912	2628	y0964228.exe	m1640606.exe
PID 2628 wrote to memory of 912	2628	y0964228.exe	m1640606.exe
PID 2628 wrote to memory of 912	2628	y0964228.exe	m1640606.exe
PID 912 wrote to memory of 1624	912	m1640606.exe	lamod.exe
PID 912 wrote to memory of 1624	912	m1640606.exe	lamod.exe
PID 912 wrote to memory of 1624	912	m1640606.exe	lamod.exe
PID 2120 wrote to memory of 4368	2120	78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe	n2682414.exe
PID 2120 wrote to memory of 4368	2120	78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe	n2682414.exe
PID 2120 wrote to memory of 4368	2120	78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe	n2682414.exe
PID 1624 wrote to memory of 1228	1624	lamod.exe	schtasks.exe
PID 1624 wrote to memory of 1228	1624	lamod.exe	schtasks.exe
PID 1624 wrote to memory of 1228	1624	lamod.exe	schtasks.exe
PID 4368 wrote to memory of 4248	4368	n2682414.exe	AppLaunch.exe
PID 4368 wrote to memory of 4248	4368	n2682414.exe	AppLaunch.exe
PID 4368 wrote to memory of 4248	4368	n2682414.exe	AppLaunch.exe
PID 4368 wrote to memory of 4248	4368	n2682414.exe	AppLaunch.exe
PID 1624 wrote to memory of 3252	1624	lamod.exe	cmd.exe
PID 1624 wrote to memory of 3252	1624	lamod.exe	cmd.exe
PID 1624 wrote to memory of 3252	1624	lamod.exe	cmd.exe
PID 4368 wrote to memory of 4248	4368	n2682414.exe	AppLaunch.exe
PID 3252 wrote to memory of 3920	3252	cmd.exe	cmd.exe
PID 3252 wrote to memory of 3920	3252	cmd.exe	cmd.exe
PID 3252 wrote to memory of 3920	3252	cmd.exe	cmd.exe
PID 3252 wrote to memory of 4744	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 4744	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 4744	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 64	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 64	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 64	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 3480	3252	cmd.exe	cmd.exe
PID 3252 wrote to memory of 3480	3252	cmd.exe	cmd.exe
PID 3252 wrote to memory of 3480	3252	cmd.exe	cmd.exe
PID 3252 wrote to memory of 424	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 424	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 424	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 452	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 452	3252	cmd.exe	cacls.exe
PID 3252 wrote to memory of 452	3252	cmd.exe	cacls.exe
PID 1624 wrote to memory of 4912	1624	lamod.exe	rundll32.exe
PID 1624 wrote to memory of 4912	1624	lamod.exe	rundll32.exe
PID 1624 wrote to memory of 4912	1624	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe
"C:\Users\Admin\AppData\Local\Temp\78ef11548c7b49bb40de34ce436b7587531a915f7ca62eb664abba2d4f909415.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2120

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0964228.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0964228.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2628

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3695578.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3695578.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0997090.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0997090.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0298894.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0298894.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1808 -s 600
6⤵
- Program crash
PID:2656

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k1702304.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k1702304.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5380084.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5380084.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1640606.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1640606.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:912

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:1228

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3920

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:4744

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:64

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:424

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3480

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:452

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:4912

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2682414.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2682414.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 596
3⤵
- Program crash
PID:4148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1808 -ip 1808
1⤵
PID:1432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4368 -ip 4368
1⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2682414.exe
Filesize
308KB

MD5
2386f2b0a7da11a5a55767d1738d8214

SHA1
c5ea2f355b98e7c5f54dea0ceb156af7283a470f

SHA256
820a1c7f63e4e1c3ff5c62e7824dbf72fb51131a033ff589169d2019d4c46fc8

SHA512
2d05d1b0b84b59bef78b0fbcbe3bcbb2428d66100d4b9fffdfc2fd1a75513dc19dd514b7e1ad043109516892efc8f2a3b2a5e0e6aeb662af9921634d94039396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2682414.exe
Filesize
308KB

MD5
2386f2b0a7da11a5a55767d1738d8214

SHA1
c5ea2f355b98e7c5f54dea0ceb156af7283a470f

SHA256
820a1c7f63e4e1c3ff5c62e7824dbf72fb51131a033ff589169d2019d4c46fc8

SHA512
2d05d1b0b84b59bef78b0fbcbe3bcbb2428d66100d4b9fffdfc2fd1a75513dc19dd514b7e1ad043109516892efc8f2a3b2a5e0e6aeb662af9921634d94039396

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0964228.exe
Filesize
548KB

MD5
31c29845f52c6b662478d188806e59e7

SHA1
e1ef4e774b98a28ed5bbbd07add1901b9a899d62

SHA256
5e0794991de567c39da463ca753200399cccb3d387001d3161a8ba76cd769873

SHA512
f0361d13a6dfd05f1c9cf839e31446ed1ca315d0efe76dc800c13726018d0e5d4ea760248917ad9957feeb7d52e8eb97a5b1234d7f02f8abd856fafb0a08400f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0964228.exe
Filesize
548KB

MD5
31c29845f52c6b662478d188806e59e7

SHA1
e1ef4e774b98a28ed5bbbd07add1901b9a899d62

SHA256
5e0794991de567c39da463ca753200399cccb3d387001d3161a8ba76cd769873

SHA512
f0361d13a6dfd05f1c9cf839e31446ed1ca315d0efe76dc800c13726018d0e5d4ea760248917ad9957feeb7d52e8eb97a5b1234d7f02f8abd856fafb0a08400f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1640606.exe
Filesize
208KB

MD5
484813b61fba93c13c58493f03d27359

SHA1
5089aa57c46aac94075ebb309a8ecad88254eb29

SHA256
717b4c0a764374d60213023a41895fcc10f40a12fea1ed5010e6f998ee5a2765

SHA512
90dfa0c0534174075938fe1b686764ca4a6ea028f0b5f0c3741b486a22317b6d8fefe12392212af3633baaf3ffd36ecca2f2fce787e801a8c90b4136bd61d72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m1640606.exe
Filesize
208KB

MD5
484813b61fba93c13c58493f03d27359

SHA1
5089aa57c46aac94075ebb309a8ecad88254eb29

SHA256
717b4c0a764374d60213023a41895fcc10f40a12fea1ed5010e6f998ee5a2765

SHA512
90dfa0c0534174075938fe1b686764ca4a6ea028f0b5f0c3741b486a22317b6d8fefe12392212af3633baaf3ffd36ecca2f2fce787e801a8c90b4136bd61d72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3695578.exe
Filesize
376KB

MD5
0438f4504e8943694e9a65c5e42e3e23

SHA1
7179481606a4c84aaf732de7c3f7cb48584e9e38

SHA256
99e58eaf01bb02aabe96bea613f457565d507f29488c86fa85e505bf380cdb9f

SHA512
d631b7d4732d9638635eb19cd33c8b5ae41af7a33ae8a5fe3975fea45b76511633547e0ee2ee79e39acab7dfee0cc81f65ee7e3c7d94bdc8921e9d4894b909ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y3695578.exe
Filesize
376KB

MD5
0438f4504e8943694e9a65c5e42e3e23

SHA1
7179481606a4c84aaf732de7c3f7cb48584e9e38

SHA256
99e58eaf01bb02aabe96bea613f457565d507f29488c86fa85e505bf380cdb9f

SHA512
d631b7d4732d9638635eb19cd33c8b5ae41af7a33ae8a5fe3975fea45b76511633547e0ee2ee79e39acab7dfee0cc81f65ee7e3c7d94bdc8921e9d4894b909ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5380084.exe
Filesize
173KB

MD5
dc5f3c0198d1a21566617b03befbd44f

SHA1
6143c2d824b5a291b0288f6208d93a1e6d1b6baa

SHA256
d04cbd5e4c813affab78eee1010e993ab752c694b264507d0c9231d5fc6fa3de

SHA512
b4896ec47ffd0d5bf4cf021c48de93c8cd394503f7ad36d122c438b6805490185f35597b8ffbd2aef33131df72dedfd31ae5cbcdc8585872f405575c162676d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l5380084.exe
Filesize
173KB

MD5
dc5f3c0198d1a21566617b03befbd44f

SHA1
6143c2d824b5a291b0288f6208d93a1e6d1b6baa

SHA256
d04cbd5e4c813affab78eee1010e993ab752c694b264507d0c9231d5fc6fa3de

SHA512
b4896ec47ffd0d5bf4cf021c48de93c8cd394503f7ad36d122c438b6805490185f35597b8ffbd2aef33131df72dedfd31ae5cbcdc8585872f405575c162676d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0997090.exe
Filesize
220KB

MD5
4408f33e5dbee5819fe134a06f0e7275

SHA1
072bfc60721b35cdb0535b25c79be714b327f18a

SHA256
f4fa959ca4150a46ec6c66ca9c608679685b0fb390577d3ae7b7bcdb4920f8eb

SHA512
10bb9fdf376dfc257131e9ac5897e85c2c6dd899655f2cc353505f315ee885018c57c34317a1bf88da64a038d9e3b92732dcaaf3256bf2e7b5e26deac267d6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y0997090.exe
Filesize
220KB

MD5
4408f33e5dbee5819fe134a06f0e7275

SHA1
072bfc60721b35cdb0535b25c79be714b327f18a

SHA256
f4fa959ca4150a46ec6c66ca9c608679685b0fb390577d3ae7b7bcdb4920f8eb

SHA512
10bb9fdf376dfc257131e9ac5897e85c2c6dd899655f2cc353505f315ee885018c57c34317a1bf88da64a038d9e3b92732dcaaf3256bf2e7b5e26deac267d6a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0298894.exe
Filesize
147KB

MD5
075c632b9694ea0fde19f8e46c087511

SHA1
a657f839a6be7b3e179b0d98b623b6caa8f8adf4

SHA256
234e194a34500236438ef8c3d4b8bb633eeb73d06c29753faeb1f17becafad3e

SHA512
3880ad5d4f19ba46c8b057ec96c62d2c1d2e320b4e96846ad6d93065ffe6d3cec3b9c271efd76e6c6a0cf0cde64c4944a36fb9d8165d17f10a92a7c481a46432

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j0298894.exe
Filesize
147KB

MD5
075c632b9694ea0fde19f8e46c087511

SHA1
a657f839a6be7b3e179b0d98b623b6caa8f8adf4

SHA256
234e194a34500236438ef8c3d4b8bb633eeb73d06c29753faeb1f17becafad3e

SHA512
3880ad5d4f19ba46c8b057ec96c62d2c1d2e320b4e96846ad6d93065ffe6d3cec3b9c271efd76e6c6a0cf0cde64c4944a36fb9d8165d17f10a92a7c481a46432

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k1702304.exe
Filesize
14KB

MD5
ff31d605d396fb693100fd22adfcab91

SHA1
5cef83430fc118302e98b3b3e15625cb66077463

SHA256
8c9621e3e2f53c931b930094c944b5b687ccfd8efdfd2e3173473d7b26bd7daa

SHA512
fffc4d742debddad9d303a203c10b52f3312c562a85d93440327f5457c70acaa9b8ef74357d524e64a72db7666c47b3e9a24abf46949fd5d1032376d2346d696

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k1702304.exe
Filesize
14KB

MD5
ff31d605d396fb693100fd22adfcab91

SHA1
5cef83430fc118302e98b3b3e15625cb66077463

SHA256
8c9621e3e2f53c931b930094c944b5b687ccfd8efdfd2e3173473d7b26bd7daa

SHA512
fffc4d742debddad9d303a203c10b52f3312c562a85d93440327f5457c70acaa9b8ef74357d524e64a72db7666c47b3e9a24abf46949fd5d1032376d2346d696

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
484813b61fba93c13c58493f03d27359

SHA1
5089aa57c46aac94075ebb309a8ecad88254eb29

SHA256
717b4c0a764374d60213023a41895fcc10f40a12fea1ed5010e6f998ee5a2765

SHA512
90dfa0c0534174075938fe1b686764ca4a6ea028f0b5f0c3741b486a22317b6d8fefe12392212af3633baaf3ffd36ecca2f2fce787e801a8c90b4136bd61d72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
484813b61fba93c13c58493f03d27359

SHA1
5089aa57c46aac94075ebb309a8ecad88254eb29

SHA256
717b4c0a764374d60213023a41895fcc10f40a12fea1ed5010e6f998ee5a2765

SHA512
90dfa0c0534174075938fe1b686764ca4a6ea028f0b5f0c3741b486a22317b6d8fefe12392212af3633baaf3ffd36ecca2f2fce787e801a8c90b4136bd61d72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
484813b61fba93c13c58493f03d27359

SHA1
5089aa57c46aac94075ebb309a8ecad88254eb29

SHA256
717b4c0a764374d60213023a41895fcc10f40a12fea1ed5010e6f998ee5a2765

SHA512
90dfa0c0534174075938fe1b686764ca4a6ea028f0b5f0c3741b486a22317b6d8fefe12392212af3633baaf3ffd36ecca2f2fce787e801a8c90b4136bd61d72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
484813b61fba93c13c58493f03d27359

SHA1
5089aa57c46aac94075ebb309a8ecad88254eb29

SHA256
717b4c0a764374d60213023a41895fcc10f40a12fea1ed5010e6f998ee5a2765

SHA512
90dfa0c0534174075938fe1b686764ca4a6ea028f0b5f0c3741b486a22317b6d8fefe12392212af3633baaf3ffd36ecca2f2fce787e801a8c90b4136bd61d72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
484813b61fba93c13c58493f03d27359

SHA1
5089aa57c46aac94075ebb309a8ecad88254eb29

SHA256
717b4c0a764374d60213023a41895fcc10f40a12fea1ed5010e6f998ee5a2765

SHA512
90dfa0c0534174075938fe1b686764ca4a6ea028f0b5f0c3741b486a22317b6d8fefe12392212af3633baaf3ffd36ecca2f2fce787e801a8c90b4136bd61d72e

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/740-183-0x00000000059E0000-0x0000000005A46000-memory.dmp

Filesize
408KB

Download
memory/740-177-0x0000000005610000-0x000000000571A000-memory.dmp

Filesize
1.0MB

Download
memory/740-187-0x0000000008DB0000-0x00000000092DC000-memory.dmp

Filesize
5.2MB

Download
memory/740-186-0x0000000006A00000-0x0000000006BC2000-memory.dmp

Filesize
1.8MB

Download
memory/740-185-0x00000000067E0000-0x0000000006830000-memory.dmp

Filesize
320KB

Download
memory/740-184-0x0000000006BE0000-0x0000000007184000-memory.dmp

Filesize
5.6MB

Download
memory/740-182-0x0000000005A80000-0x0000000005B12000-memory.dmp

Filesize
584KB

Download
memory/740-181-0x0000000005960000-0x00000000059D6000-memory.dmp

Filesize
472KB

Download
memory/740-180-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/740-175-0x0000000000B90000-0x0000000000BC0000-memory.dmp

Filesize
192KB

Download
memory/740-179-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/740-176-0x0000000005B20000-0x0000000006138000-memory.dmp

Filesize
6.1MB

Download
memory/740-178-0x0000000005500000-0x0000000005512000-memory.dmp

Filesize
72KB

Download
memory/740-188-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/1788-169-0x0000000000BA0000-0x0000000000BAA000-memory.dmp

Filesize
40KB

Download
memory/4248-212-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4248-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4348-161-0x0000000000360000-0x000000000036A000-memory.dmp

Filesize
40KB

Download