redline | d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e

Analysis

max time kernel
141s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe
Size

771KB
MD5

04b0ead12b66ffc913d09bcf23e249f1
SHA1

e7648c55edabd2e81b32ce0d1c0c1d02926d2429
SHA256

d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e
SHA512

7e929f6e365b142401789b2018ff2b9489bf2db085a7df0075730644777f4f4568848e47fd45fc035f5ba80a83309d7d364db51646c3129e95cdfa31af355e46
SSDEEP

24576:0yDrSzHFkxsPY8QK8Q3GoMpiSEkICFshUC:D0+xeY8MWGoMMOFK

Score

10^/10

redline diza sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exek1198905.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k1198905.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k1198905.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k1198905.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k1198905.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k1198905.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k1198905.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4820847.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4820847.exe	family_redline
behavioral1/memory/636-175-0x0000000000DC0000-0x0000000000DF0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

m9451271.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	m9451271.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2548970870-3691742953-3895070203-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

y0333816.exey4076726.exey4251112.exej5471989.exek1198905.exel4820847.exem9451271.exelamod.exen7282954.exelamod.exelamod.exe

pid	process
1344	y0333816.exe
5048	y4076726.exe
1444	y4251112.exe
2984	j5471989.exe
1928	k1198905.exe
636	l4820847.exe
1272	m9451271.exe
3168	lamod.exe
968	n7282954.exe
1632	lamod.exe
2532	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

460 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

k1198905.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k1198905.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
460	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k1198905.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y4251112.exed2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exey0333816.exey4076726.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4251112.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y4251112.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0333816.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0333816.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4076726.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y4076726.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

j5471989.exen7282954.exe

description	pid	process	target process
PID 2984 set thread context of 1700	2984	j5471989.exe	AppLaunch.exe
PID 968 set thread context of 1304	968	n7282954.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1752 2984 WerFault.exe j5471989.exe
3500 968 WerFault.exe n7282954.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3372 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exek1198905.exel4820847.exeAppLaunch.exe

pid process

1700 AppLaunch.exe
1700 AppLaunch.exe
1928 k1198905.exe
1928 k1198905.exe
636 l4820847.exe
636 l4820847.exe
1304 AppLaunch.exe
1304 AppLaunch.exe

pid	pid_target	process	target process
1752	2984	WerFault.exe	j5471989.exe
3500	968	WerFault.exe	n7282954.exe

pid	process
3372	schtasks.exe

pid	process
1700	AppLaunch.exe
1700	AppLaunch.exe
1928	k1198905.exe
1928	k1198905.exe
636	l4820847.exe
636	l4820847.exe
1304	AppLaunch.exe
1304	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AppLaunch.exek1198905.exel4820847.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	1700	AppLaunch.exe
Token: SeDebugPrivilege	1928	k1198905.exe
Token: SeDebugPrivilege	636	l4820847.exe
Token: SeDebugPrivilege	1304	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

m9451271.exe

pid process

1272 m9451271.exe

pid	process
1272	m9451271.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exey0333816.exey4076726.exey4251112.exej5471989.exem9451271.exelamod.execmd.exen7282954.exe

description	pid	process	target process
PID 1792 wrote to memory of 1344	1792	d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe	y0333816.exe
PID 1792 wrote to memory of 1344	1792	d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe	y0333816.exe
PID 1792 wrote to memory of 1344	1792	d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe	y0333816.exe
PID 1344 wrote to memory of 5048	1344	y0333816.exe	y4076726.exe
PID 1344 wrote to memory of 5048	1344	y0333816.exe	y4076726.exe
PID 1344 wrote to memory of 5048	1344	y0333816.exe	y4076726.exe
PID 5048 wrote to memory of 1444	5048	y4076726.exe	y4251112.exe
PID 5048 wrote to memory of 1444	5048	y4076726.exe	y4251112.exe
PID 5048 wrote to memory of 1444	5048	y4076726.exe	y4251112.exe
PID 1444 wrote to memory of 2984	1444	y4251112.exe	j5471989.exe
PID 1444 wrote to memory of 2984	1444	y4251112.exe	j5471989.exe
PID 1444 wrote to memory of 2984	1444	y4251112.exe	j5471989.exe
PID 2984 wrote to memory of 1700	2984	j5471989.exe	AppLaunch.exe
PID 2984 wrote to memory of 1700	2984	j5471989.exe	AppLaunch.exe
PID 2984 wrote to memory of 1700	2984	j5471989.exe	AppLaunch.exe
PID 2984 wrote to memory of 1700	2984	j5471989.exe	AppLaunch.exe
PID 2984 wrote to memory of 1700	2984	j5471989.exe	AppLaunch.exe
PID 1444 wrote to memory of 1928	1444	y4251112.exe	k1198905.exe
PID 1444 wrote to memory of 1928	1444	y4251112.exe	k1198905.exe
PID 5048 wrote to memory of 636	5048	y4076726.exe	l4820847.exe
PID 5048 wrote to memory of 636	5048	y4076726.exe	l4820847.exe
PID 5048 wrote to memory of 636	5048	y4076726.exe	l4820847.exe
PID 1344 wrote to memory of 1272	1344	y0333816.exe	m9451271.exe
PID 1344 wrote to memory of 1272	1344	y0333816.exe	m9451271.exe
PID 1344 wrote to memory of 1272	1344	y0333816.exe	m9451271.exe
PID 1272 wrote to memory of 3168	1272	m9451271.exe	lamod.exe
PID 1272 wrote to memory of 3168	1272	m9451271.exe	lamod.exe
PID 1272 wrote to memory of 3168	1272	m9451271.exe	lamod.exe
PID 1792 wrote to memory of 968	1792	d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe	n7282954.exe
PID 1792 wrote to memory of 968	1792	d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe	n7282954.exe
PID 1792 wrote to memory of 968	1792	d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe	n7282954.exe
PID 3168 wrote to memory of 3372	3168	lamod.exe	schtasks.exe
PID 3168 wrote to memory of 3372	3168	lamod.exe	schtasks.exe
PID 3168 wrote to memory of 3372	3168	lamod.exe	schtasks.exe
PID 3168 wrote to memory of 3696	3168	lamod.exe	cmd.exe
PID 3168 wrote to memory of 3696	3168	lamod.exe	cmd.exe
PID 3168 wrote to memory of 3696	3168	lamod.exe	cmd.exe
PID 3696 wrote to memory of 4548	3696	cmd.exe	cmd.exe
PID 3696 wrote to memory of 4548	3696	cmd.exe	cmd.exe
PID 3696 wrote to memory of 4548	3696	cmd.exe	cmd.exe
PID 3696 wrote to memory of 2072	3696	cmd.exe	cacls.exe
PID 3696 wrote to memory of 2072	3696	cmd.exe	cacls.exe
PID 3696 wrote to memory of 2072	3696	cmd.exe	cacls.exe
PID 3696 wrote to memory of 3788	3696	cmd.exe	cacls.exe
PID 3696 wrote to memory of 3788	3696	cmd.exe	cacls.exe
PID 3696 wrote to memory of 3788	3696	cmd.exe	cacls.exe
PID 968 wrote to memory of 1304	968	n7282954.exe	AppLaunch.exe
PID 968 wrote to memory of 1304	968	n7282954.exe	AppLaunch.exe
PID 968 wrote to memory of 1304	968	n7282954.exe	AppLaunch.exe
PID 968 wrote to memory of 1304	968	n7282954.exe	AppLaunch.exe
PID 3696 wrote to memory of 2432	3696	cmd.exe	cmd.exe
PID 3696 wrote to memory of 2432	3696	cmd.exe	cmd.exe
PID 3696 wrote to memory of 2432	3696	cmd.exe	cmd.exe
PID 3696 wrote to memory of 3660	3696	cmd.exe	cacls.exe
PID 3696 wrote to memory of 3660	3696	cmd.exe	cacls.exe
PID 3696 wrote to memory of 3660	3696	cmd.exe	cacls.exe
PID 968 wrote to memory of 1304	968	n7282954.exe	AppLaunch.exe
PID 3696 wrote to memory of 4740	3696	cmd.exe	cacls.exe
PID 3696 wrote to memory of 4740	3696	cmd.exe	cacls.exe
PID 3696 wrote to memory of 4740	3696	cmd.exe	cacls.exe
PID 3168 wrote to memory of 460	3168	lamod.exe	rundll32.exe
PID 3168 wrote to memory of 460	3168	lamod.exe	rundll32.exe
PID 3168 wrote to memory of 460	3168	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe
"C:\Users\Admin\AppData\Local\Temp\d2153dd94e6f41383eb66f847fd31064dd86f151055c722e7b827cc73953d03e.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1792

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0333816.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0333816.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1344

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4076726.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4076726.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4251112.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4251112.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5471989.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5471989.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2984 -s 156
6⤵
- Program crash
PID:1752

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k1198905.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k1198905.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1928

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4820847.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4820847.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:636

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9451271.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9451271.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1272

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:3372

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4548

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:2072

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:3788

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:2432

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:4740

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:460

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7282954.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7282954.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 152
3⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2984 -ip 2984
1⤵
PID:4192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 968 -ip 968
1⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:2532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7282954.exe
Filesize
308KB

MD5
e3bd343dc7a87246cb8faeacade567a5

SHA1
b6580a96d1642f0e9b2d86e4c13659e386b273de

SHA256
bc05ea81e76652a5b98638829abcd7d2b67bc2a517058d3d65a6002ffc401a80

SHA512
ffba128777566fdcfe46daed5a61c519ad630ebf5230770c49128d9eda81ce0546cd085bcc6bde91d9752f4612036ca8f2dd16a322d1db6a4437d77c62343ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7282954.exe
Filesize
308KB

MD5
e3bd343dc7a87246cb8faeacade567a5

SHA1
b6580a96d1642f0e9b2d86e4c13659e386b273de

SHA256
bc05ea81e76652a5b98638829abcd7d2b67bc2a517058d3d65a6002ffc401a80

SHA512
ffba128777566fdcfe46daed5a61c519ad630ebf5230770c49128d9eda81ce0546cd085bcc6bde91d9752f4612036ca8f2dd16a322d1db6a4437d77c62343ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0333816.exe
Filesize
547KB

MD5
22b13a058adda4dcfe83fe50fe52a7bf

SHA1
e8c01a6a8cee8ff6e14825e2d06bef1c3fd49653

SHA256
0026766e78a1ba3894549bd81ac0f47a5ba3807bb6f961182be2a5257e168dad

SHA512
8337d8c1f48931c7733b5ea720e694e9237d451925698b8bf7e2b695b7702eb597d5db98826e6339dec3966e687aafea484a207d22c35dba581ee4b331c2b9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0333816.exe
Filesize
547KB

MD5
22b13a058adda4dcfe83fe50fe52a7bf

SHA1
e8c01a6a8cee8ff6e14825e2d06bef1c3fd49653

SHA256
0026766e78a1ba3894549bd81ac0f47a5ba3807bb6f961182be2a5257e168dad

SHA512
8337d8c1f48931c7733b5ea720e694e9237d451925698b8bf7e2b695b7702eb597d5db98826e6339dec3966e687aafea484a207d22c35dba581ee4b331c2b9b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9451271.exe
Filesize
208KB

MD5
f086fb8bbb1ec22ade6a0edc6512d5aa

SHA1
5fb58b22fe456296a20ee8fa9bc95fbdfd82b543

SHA256
1f78d8924841c575713cf1611d0fc65b96208d2f9bf7bcab935a7c4548c4b60e

SHA512
b16c4e1aa8025d5a3fb5c29103c9c3ae9b8e4c0a10a557d2fe6a71d5d8821f3a2d0cef62493646c97813171d5ea10b3bc761255047b8037ab9c758d93c9d06dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9451271.exe
Filesize
208KB

MD5
f086fb8bbb1ec22ade6a0edc6512d5aa

SHA1
5fb58b22fe456296a20ee8fa9bc95fbdfd82b543

SHA256
1f78d8924841c575713cf1611d0fc65b96208d2f9bf7bcab935a7c4548c4b60e

SHA512
b16c4e1aa8025d5a3fb5c29103c9c3ae9b8e4c0a10a557d2fe6a71d5d8821f3a2d0cef62493646c97813171d5ea10b3bc761255047b8037ab9c758d93c9d06dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4076726.exe
Filesize
375KB

MD5
cc69b4164ea64481bb4a72aeb6449d43

SHA1
2b5092bca0f229574f16e81e87418f740251b140

SHA256
6a6b316ee2f9f9f104d9834349fbeb3980e87344eec23430599f451e5a08684f

SHA512
bfe17212c54be387d054f938b2cff9691839e6628b3ed7222830f2eab4e0f680841ce91aa9ddbe0ae6ce54d836ca21ea65196ee777c25ad5411bd9363d032cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y4076726.exe
Filesize
375KB

MD5
cc69b4164ea64481bb4a72aeb6449d43

SHA1
2b5092bca0f229574f16e81e87418f740251b140

SHA256
6a6b316ee2f9f9f104d9834349fbeb3980e87344eec23430599f451e5a08684f

SHA512
bfe17212c54be387d054f938b2cff9691839e6628b3ed7222830f2eab4e0f680841ce91aa9ddbe0ae6ce54d836ca21ea65196ee777c25ad5411bd9363d032cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4820847.exe
Filesize
173KB

MD5
51d9f62ce0cf5dab247a52c295b837fc

SHA1
3c973447debacf300b75d78c9feff8d8d803f68d

SHA256
2587e88b9b78b30f5933bd09bf81e52b5d28642009eaa3c31bf0e2c76dc654f3

SHA512
0f38f056e5a7463a512a5722e5cb3572911d5c8f317ff8a41498fd7d7c975ed6d1b0a2df53217c198392dc851fc6cb8ba4659b131a650d670803f9d2e3991f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l4820847.exe
Filesize
173KB

MD5
51d9f62ce0cf5dab247a52c295b837fc

SHA1
3c973447debacf300b75d78c9feff8d8d803f68d

SHA256
2587e88b9b78b30f5933bd09bf81e52b5d28642009eaa3c31bf0e2c76dc654f3

SHA512
0f38f056e5a7463a512a5722e5cb3572911d5c8f317ff8a41498fd7d7c975ed6d1b0a2df53217c198392dc851fc6cb8ba4659b131a650d670803f9d2e3991f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4251112.exe
Filesize
220KB

MD5
af61bb1fdc9d8f69c2ee7f3861180c27

SHA1
25e1aee07642e0f53149e69ed562a0acb520a6a0

SHA256
75c476b03bee5906df35c90483ab8fc6cd72fc718f2a269162fc3553c254302f

SHA512
7143ca6f22c22014d8818200a52c01df33234a48a1c6a58d3f843066c56149257d5de857534d5c6f0b321cd0c4b054f5578e5f1b8c2929fc5e6472aee3754b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y4251112.exe
Filesize
220KB

MD5
af61bb1fdc9d8f69c2ee7f3861180c27

SHA1
25e1aee07642e0f53149e69ed562a0acb520a6a0

SHA256
75c476b03bee5906df35c90483ab8fc6cd72fc718f2a269162fc3553c254302f

SHA512
7143ca6f22c22014d8818200a52c01df33234a48a1c6a58d3f843066c56149257d5de857534d5c6f0b321cd0c4b054f5578e5f1b8c2929fc5e6472aee3754b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5471989.exe
Filesize
147KB

MD5
b376412c9236db893d6e62c2cdfd1a5c

SHA1
f90a73ede1c08a3746105a62daa737261766a1ea

SHA256
7ae27dd831722e31821f9df62128a573868b9576ff9e6c564612d10577a7c4d8

SHA512
c0c355b403ea691a6edf1859e153cfcca6989b5e3d956867c482aef5f74d91d467db47f0d4395fdd124581db901de834ca1e5f6e11223d4784af74ca74e0c625

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j5471989.exe
Filesize
147KB

MD5
b376412c9236db893d6e62c2cdfd1a5c

SHA1
f90a73ede1c08a3746105a62daa737261766a1ea

SHA256
7ae27dd831722e31821f9df62128a573868b9576ff9e6c564612d10577a7c4d8

SHA512
c0c355b403ea691a6edf1859e153cfcca6989b5e3d956867c482aef5f74d91d467db47f0d4395fdd124581db901de834ca1e5f6e11223d4784af74ca74e0c625

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k1198905.exe
Filesize
14KB

MD5
2c9c558cf2676f2e715a8e8bd8a0a9c5

SHA1
7e0ac441f572f88c763dc17f84063507581b7ed0

SHA256
7e09bf830c8cc7a9aa5818adb506b9d395812a85bb9d9c94e37039cb7ad5192c

SHA512
9ac146901ee94daa81601a9f37e1a70b416debb00a168168c9665ccdf26249ad52886ee548559e581b426535d94d5b486e232852ae48beabc0483de767f47e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k1198905.exe
Filesize
14KB

MD5
2c9c558cf2676f2e715a8e8bd8a0a9c5

SHA1
7e0ac441f572f88c763dc17f84063507581b7ed0

SHA256
7e09bf830c8cc7a9aa5818adb506b9d395812a85bb9d9c94e37039cb7ad5192c

SHA512
9ac146901ee94daa81601a9f37e1a70b416debb00a168168c9665ccdf26249ad52886ee548559e581b426535d94d5b486e232852ae48beabc0483de767f47e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
f086fb8bbb1ec22ade6a0edc6512d5aa

SHA1
5fb58b22fe456296a20ee8fa9bc95fbdfd82b543

SHA256
1f78d8924841c575713cf1611d0fc65b96208d2f9bf7bcab935a7c4548c4b60e

SHA512
b16c4e1aa8025d5a3fb5c29103c9c3ae9b8e4c0a10a557d2fe6a71d5d8821f3a2d0cef62493646c97813171d5ea10b3bc761255047b8037ab9c758d93c9d06dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
f086fb8bbb1ec22ade6a0edc6512d5aa

SHA1
5fb58b22fe456296a20ee8fa9bc95fbdfd82b543

SHA256
1f78d8924841c575713cf1611d0fc65b96208d2f9bf7bcab935a7c4548c4b60e

SHA512
b16c4e1aa8025d5a3fb5c29103c9c3ae9b8e4c0a10a557d2fe6a71d5d8821f3a2d0cef62493646c97813171d5ea10b3bc761255047b8037ab9c758d93c9d06dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
f086fb8bbb1ec22ade6a0edc6512d5aa

SHA1
5fb58b22fe456296a20ee8fa9bc95fbdfd82b543

SHA256
1f78d8924841c575713cf1611d0fc65b96208d2f9bf7bcab935a7c4548c4b60e

SHA512
b16c4e1aa8025d5a3fb5c29103c9c3ae9b8e4c0a10a557d2fe6a71d5d8821f3a2d0cef62493646c97813171d5ea10b3bc761255047b8037ab9c758d93c9d06dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
f086fb8bbb1ec22ade6a0edc6512d5aa

SHA1
5fb58b22fe456296a20ee8fa9bc95fbdfd82b543

SHA256
1f78d8924841c575713cf1611d0fc65b96208d2f9bf7bcab935a7c4548c4b60e

SHA512
b16c4e1aa8025d5a3fb5c29103c9c3ae9b8e4c0a10a557d2fe6a71d5d8821f3a2d0cef62493646c97813171d5ea10b3bc761255047b8037ab9c758d93c9d06dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
f086fb8bbb1ec22ade6a0edc6512d5aa

SHA1
5fb58b22fe456296a20ee8fa9bc95fbdfd82b543

SHA256
1f78d8924841c575713cf1611d0fc65b96208d2f9bf7bcab935a7c4548c4b60e

SHA512
b16c4e1aa8025d5a3fb5c29103c9c3ae9b8e4c0a10a557d2fe6a71d5d8821f3a2d0cef62493646c97813171d5ea10b3bc761255047b8037ab9c758d93c9d06dc

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/636-183-0x000000000AF30000-0x000000000AF96000-memory.dmp

Filesize
408KB

Download
memory/636-177-0x000000000AC00000-0x000000000AD0A000-memory.dmp

Filesize
1.0MB

Download
memory/636-187-0x000000000CD40000-0x000000000D26C000-memory.dmp

Filesize
5.2MB

Download
memory/636-186-0x000000000C640000-0x000000000C802000-memory.dmp

Filesize
1.8MB

Download
memory/636-185-0x000000000BD00000-0x000000000BD50000-memory.dmp

Filesize
320KB

Download
memory/636-184-0x000000000C090000-0x000000000C634000-memory.dmp

Filesize
5.6MB

Download
memory/636-182-0x000000000AFD0000-0x000000000B062000-memory.dmp

Filesize
584KB

Download
memory/636-181-0x000000000AEB0000-0x000000000AF26000-memory.dmp

Filesize
472KB

Download
memory/636-180-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/636-175-0x0000000000DC0000-0x0000000000DF0000-memory.dmp

Filesize
192KB

Download
memory/636-179-0x000000000ABA0000-0x000000000ABDC000-memory.dmp

Filesize
240KB

Download
memory/636-176-0x000000000B080000-0x000000000B698000-memory.dmp

Filesize
6.1MB

Download
memory/636-178-0x000000000AB40000-0x000000000AB52000-memory.dmp

Filesize
72KB

Download
memory/636-188-0x0000000002F80000-0x0000000002F90000-memory.dmp

Filesize
64KB

Download
memory/1304-212-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/1304-206-0x00000000007B0000-0x00000000007E0000-memory.dmp

Filesize
192KB

Download
memory/1700-161-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1928-169-0x0000000000BD0000-0x0000000000BDA000-memory.dmp

Filesize
40KB

Download