redline | 9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe
Size

771KB
MD5

5faf4bf99af68c9a30ba14af739b08a8
SHA1

8856a72c2c4369f7d627a161d4c6d3351188b1e6
SHA256

9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca
SHA512

ed5daa5d6f398232e38071c89d44c682226ca2faa5f4fbfb42945d9215f544bb870353b24751d1e26c613515ffd25097bc7ed35ecc071805b22e3cfda95444c0
SSDEEP

12288:jMrky90Uzgc9tB/FgLfghJjfRvR91LU38w1voA7GL/hgjPJB2pBG+i6k1:/yUcV/wfgDLxR8FoAqL/huOG+nk1

Score

10^/10

redline diza sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

diza

83.97.73.129:19068

Attributes

auth_value
0d09b419c8bc967f91c68be4a17e92ee

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exek2920397.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k2920397.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k2920397.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k2920397.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k2920397.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k2920397.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k2920397.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0553552.exe	family_redline
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0553552.exe	family_redline
behavioral1/memory/448-175-0x00000000004A0000-0x00000000004D0000-memory.dmp	family_redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

m2338156.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	m2338156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

y5328804.exey6600944.exey6457583.exej6441861.exek2920397.exel0553552.exem2338156.exelamod.exen9673779.exelamod.exelamod.exe

pid	process
1772	y5328804.exe
1868	y6600944.exe
3788	y6457583.exe
1368	j6441861.exe
2852	k2920397.exe
448	l0553552.exe
2428	m2338156.exe
4200	lamod.exe
3744	n9673779.exe
3408	lamod.exe
4844	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4444 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

k2920397.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k2920397.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4444	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k2920397.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y6457583.exe9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exey5328804.exey6600944.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y6457583.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y5328804.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y5328804.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6600944.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y6600944.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y6457583.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

j6441861.exen9673779.exe

description	pid	process	target process
PID 1368 set thread context of 5064	1368	j6441861.exe	AppLaunch.exe
PID 3744 set thread context of 3244	3744	n9673779.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3504 1368 WerFault.exe j6441861.exe
3552 3744 WerFault.exe n9673779.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

552 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exek2920397.exel0553552.exeAppLaunch.exe

pid process

5064 AppLaunch.exe
5064 AppLaunch.exe
2852 k2920397.exe
2852 k2920397.exe
448 l0553552.exe
448 l0553552.exe
3244 AppLaunch.exe
3244 AppLaunch.exe

pid	pid_target	process	target process
3504	1368	WerFault.exe	j6441861.exe
3552	3744	WerFault.exe	n9673779.exe

pid	process
552	schtasks.exe

pid	process
5064	AppLaunch.exe
5064	AppLaunch.exe
2852	k2920397.exe
2852	k2920397.exe
448	l0553552.exe
448	l0553552.exe
3244	AppLaunch.exe
3244	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AppLaunch.exek2920397.exel0553552.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	5064	AppLaunch.exe
Token: SeDebugPrivilege	2852	k2920397.exe
Token: SeDebugPrivilege	448	l0553552.exe
Token: SeDebugPrivilege	3244	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

m2338156.exe

pid process

2428 m2338156.exe

pid	process
2428	m2338156.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exey5328804.exey6600944.exey6457583.exej6441861.exem2338156.exelamod.execmd.exen9673779.exe

description	pid	process	target process
PID 2704 wrote to memory of 1772	2704	9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe	y5328804.exe
PID 2704 wrote to memory of 1772	2704	9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe	y5328804.exe
PID 2704 wrote to memory of 1772	2704	9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe	y5328804.exe
PID 1772 wrote to memory of 1868	1772	y5328804.exe	y6600944.exe
PID 1772 wrote to memory of 1868	1772	y5328804.exe	y6600944.exe
PID 1772 wrote to memory of 1868	1772	y5328804.exe	y6600944.exe
PID 1868 wrote to memory of 3788	1868	y6600944.exe	y6457583.exe
PID 1868 wrote to memory of 3788	1868	y6600944.exe	y6457583.exe
PID 1868 wrote to memory of 3788	1868	y6600944.exe	y6457583.exe
PID 3788 wrote to memory of 1368	3788	y6457583.exe	j6441861.exe
PID 3788 wrote to memory of 1368	3788	y6457583.exe	j6441861.exe
PID 3788 wrote to memory of 1368	3788	y6457583.exe	j6441861.exe
PID 1368 wrote to memory of 5064	1368	j6441861.exe	AppLaunch.exe
PID 1368 wrote to memory of 5064	1368	j6441861.exe	AppLaunch.exe
PID 1368 wrote to memory of 5064	1368	j6441861.exe	AppLaunch.exe
PID 1368 wrote to memory of 5064	1368	j6441861.exe	AppLaunch.exe
PID 1368 wrote to memory of 5064	1368	j6441861.exe	AppLaunch.exe
PID 3788 wrote to memory of 2852	3788	y6457583.exe	k2920397.exe
PID 3788 wrote to memory of 2852	3788	y6457583.exe	k2920397.exe
PID 1868 wrote to memory of 448	1868	y6600944.exe	l0553552.exe
PID 1868 wrote to memory of 448	1868	y6600944.exe	l0553552.exe
PID 1868 wrote to memory of 448	1868	y6600944.exe	l0553552.exe
PID 1772 wrote to memory of 2428	1772	y5328804.exe	m2338156.exe
PID 1772 wrote to memory of 2428	1772	y5328804.exe	m2338156.exe
PID 1772 wrote to memory of 2428	1772	y5328804.exe	m2338156.exe
PID 2428 wrote to memory of 4200	2428	m2338156.exe	lamod.exe
PID 2428 wrote to memory of 4200	2428	m2338156.exe	lamod.exe
PID 2428 wrote to memory of 4200	2428	m2338156.exe	lamod.exe
PID 2704 wrote to memory of 3744	2704	9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe	n9673779.exe
PID 2704 wrote to memory of 3744	2704	9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe	n9673779.exe
PID 2704 wrote to memory of 3744	2704	9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe	n9673779.exe
PID 4200 wrote to memory of 552	4200	lamod.exe	schtasks.exe
PID 4200 wrote to memory of 552	4200	lamod.exe	schtasks.exe
PID 4200 wrote to memory of 552	4200	lamod.exe	schtasks.exe
PID 4200 wrote to memory of 2172	4200	lamod.exe	cmd.exe
PID 4200 wrote to memory of 2172	4200	lamod.exe	cmd.exe
PID 4200 wrote to memory of 2172	4200	lamod.exe	cmd.exe
PID 2172 wrote to memory of 564	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 564	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 564	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 1436	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 1436	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 1436	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 4048	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 4048	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 4048	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 1836	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 1836	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 1836	2172	cmd.exe	cmd.exe
PID 2172 wrote to memory of 2668	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 2668	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 2668	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 4292	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 4292	2172	cmd.exe	cacls.exe
PID 2172 wrote to memory of 4292	2172	cmd.exe	cacls.exe
PID 3744 wrote to memory of 3244	3744	n9673779.exe	AppLaunch.exe
PID 3744 wrote to memory of 3244	3744	n9673779.exe	AppLaunch.exe
PID 3744 wrote to memory of 3244	3744	n9673779.exe	AppLaunch.exe
PID 3744 wrote to memory of 3244	3744	n9673779.exe	AppLaunch.exe
PID 3744 wrote to memory of 3244	3744	n9673779.exe	AppLaunch.exe
PID 4200 wrote to memory of 4444	4200	lamod.exe	rundll32.exe
PID 4200 wrote to memory of 4444	4200	lamod.exe	rundll32.exe
PID 4200 wrote to memory of 4444	4200	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe
"C:\Users\Admin\AppData\Local\Temp\9a0bce8aeadce11593242637953f6b754771bb345919e651b36b6b07915e2bca.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2704

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5328804.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5328804.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1772

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6600944.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6600944.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6457583.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6457583.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3788

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j6441861.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j6441861.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1368 -s 152
6⤵
- Program crash
PID:3504

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2920397.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2920397.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0553552.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0553552.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2338156.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2338156.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2428

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:552

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:564

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:1436

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:4048

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:2668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1836

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:4292

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:4444

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n9673779.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n9673779.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 152
3⤵
- Program crash
PID:3552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 1368 -ip 1368
1⤵
PID:1920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 388 -p 3744 -ip 3744
1⤵
PID:2672

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:3408

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n9673779.exe
Filesize
308KB

MD5
6180e55cd492063b1f2734f9f64f52d5

SHA1
038464a724ee3c34ac6ab74166390dfa5e93b641

SHA256
7cc58936308fdeb514ba188e6d073c5634f6d5ce4d29e70eecf0d9614e048e75

SHA512
d60f5c39320c7149be455667be6759fb9f3539c61a5e783e5923665020e09d51189c77f9d935c9089f8a6e253033e240334f911038bcf5ccb23208eb0634de6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n9673779.exe
Filesize
308KB

MD5
6180e55cd492063b1f2734f9f64f52d5

SHA1
038464a724ee3c34ac6ab74166390dfa5e93b641

SHA256
7cc58936308fdeb514ba188e6d073c5634f6d5ce4d29e70eecf0d9614e048e75

SHA512
d60f5c39320c7149be455667be6759fb9f3539c61a5e783e5923665020e09d51189c77f9d935c9089f8a6e253033e240334f911038bcf5ccb23208eb0634de6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5328804.exe
Filesize
548KB

MD5
939c57c73222f51600ebbed3429fe71f

SHA1
3d760abed7b1ad36988db2a7cbe5a3d4e7dafdf5

SHA256
019f270ea78a29581abf8d452f7125ebb47b01d720ee013a9543ede28f2e7c1a

SHA512
b6131cde94510e13e3ed13e44d4660ca6a02771bdc853d89ea501bd1ec4b202d5a4b7a1734421385dfc7b253c419ccd4aa49a4c7f38c785f77cf932edb0e222b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y5328804.exe
Filesize
548KB

MD5
939c57c73222f51600ebbed3429fe71f

SHA1
3d760abed7b1ad36988db2a7cbe5a3d4e7dafdf5

SHA256
019f270ea78a29581abf8d452f7125ebb47b01d720ee013a9543ede28f2e7c1a

SHA512
b6131cde94510e13e3ed13e44d4660ca6a02771bdc853d89ea501bd1ec4b202d5a4b7a1734421385dfc7b253c419ccd4aa49a4c7f38c785f77cf932edb0e222b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2338156.exe
Filesize
208KB

MD5
4b11f167f5e541e7c32a75b15b95bb0d

SHA1
9e20fe99d5e1929cfc91a1b8fe3e87207b2b1c41

SHA256
acf0fc2cc34efb2a52020d7c7713752403af321b836b20c266f5cf2b3c1ad4f8

SHA512
4b507525a06cee24aceaa18be4b5267cb348f90fba82c9ea04ac2bfb7377b6a503c8f7f3119095acf9d5cba03082127c968229b77c65dff4c00a067aacc5fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m2338156.exe
Filesize
208KB

MD5
4b11f167f5e541e7c32a75b15b95bb0d

SHA1
9e20fe99d5e1929cfc91a1b8fe3e87207b2b1c41

SHA256
acf0fc2cc34efb2a52020d7c7713752403af321b836b20c266f5cf2b3c1ad4f8

SHA512
4b507525a06cee24aceaa18be4b5267cb348f90fba82c9ea04ac2bfb7377b6a503c8f7f3119095acf9d5cba03082127c968229b77c65dff4c00a067aacc5fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6600944.exe
Filesize
376KB

MD5
b22eff231c4db8c360ad323c395b7a22

SHA1
b086d770a360e2773fcdf95335944ef0df7593b4

SHA256
6087978f1cf03b017effdf5248230c5807b217d2f1212038a9c93c6caa4ae517

SHA512
66574f082a0459dafd40064e19f9d046b819fc1e0e2042a2322c3ffde69875e2aacc977ebf6245892b607862948e28c6cb96974d14a141cdcbce99b5936b99a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y6600944.exe
Filesize
376KB

MD5
b22eff231c4db8c360ad323c395b7a22

SHA1
b086d770a360e2773fcdf95335944ef0df7593b4

SHA256
6087978f1cf03b017effdf5248230c5807b217d2f1212038a9c93c6caa4ae517

SHA512
66574f082a0459dafd40064e19f9d046b819fc1e0e2042a2322c3ffde69875e2aacc977ebf6245892b607862948e28c6cb96974d14a141cdcbce99b5936b99a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0553552.exe
Filesize
173KB

MD5
53ad93cb20561fe48d9f9afe9b5aa105

SHA1
498f5b137e5936beb0a30797d4158c083780f596

SHA256
1d839d16f92b93c50e1b6163db380354183aa744824b5809fa2873d77853c879

SHA512
a15ded41bd7ef4a329a64c1addd20a5e303803fba01bd26a1a7d19b1734248eb74b79e633e497d8ecc44224075328ca4d47845f1707c3d1e2a37cd65f233cb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l0553552.exe
Filesize
173KB

MD5
53ad93cb20561fe48d9f9afe9b5aa105

SHA1
498f5b137e5936beb0a30797d4158c083780f596

SHA256
1d839d16f92b93c50e1b6163db380354183aa744824b5809fa2873d77853c879

SHA512
a15ded41bd7ef4a329a64c1addd20a5e303803fba01bd26a1a7d19b1734248eb74b79e633e497d8ecc44224075328ca4d47845f1707c3d1e2a37cd65f233cb0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6457583.exe
Filesize
220KB

MD5
7655839edf6c44a3031f8befa328124a

SHA1
9956c38b35601c45c2982494fd0845acc7e68dbe

SHA256
1e633c3bbaf26a941a7bcec41d9add2014ec710957d91d227e9a9f12d685b676

SHA512
e0ae4f2e6f2d99ff29b7005d033e99993527bf00bdd43d76e643968dd1638a509dba15a58fccc23c46d874665052f60222b0f333d5f7d0489f57f5919fcb29d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y6457583.exe
Filesize
220KB

MD5
7655839edf6c44a3031f8befa328124a

SHA1
9956c38b35601c45c2982494fd0845acc7e68dbe

SHA256
1e633c3bbaf26a941a7bcec41d9add2014ec710957d91d227e9a9f12d685b676

SHA512
e0ae4f2e6f2d99ff29b7005d033e99993527bf00bdd43d76e643968dd1638a509dba15a58fccc23c46d874665052f60222b0f333d5f7d0489f57f5919fcb29d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j6441861.exe
Filesize
147KB

MD5
c64f91653b7b1bb8871fbd46f1c6591b

SHA1
6257157e4cc28f4c94a70843893f15cb1c5601a0

SHA256
225d5f67ba187b70238770e223ca635ff83144cb8b8cfddb0afe7bcdbe194f91

SHA512
0c32cbd4821d5ff5f0b52794b696b88128c96f6dc8b40d3d4a60319676425c11e08ed4286b954c3f90a2c98355015cabeda4e52dd8cdb72e77c89bb23208dcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j6441861.exe
Filesize
147KB

MD5
c64f91653b7b1bb8871fbd46f1c6591b

SHA1
6257157e4cc28f4c94a70843893f15cb1c5601a0

SHA256
225d5f67ba187b70238770e223ca635ff83144cb8b8cfddb0afe7bcdbe194f91

SHA512
0c32cbd4821d5ff5f0b52794b696b88128c96f6dc8b40d3d4a60319676425c11e08ed4286b954c3f90a2c98355015cabeda4e52dd8cdb72e77c89bb23208dcab

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2920397.exe
Filesize
14KB

MD5
3527632995f18cceb051da361ba63bd2

SHA1
3770e748ff1e6acb195bb962b2872d46900b2602

SHA256
f2e9027ba63e5a6ce9e22d734c9a95f5f6f07f5fcffb2e7dc8d937df5a27e546

SHA512
2aad86212821fe13d8620f07a71db83a258d2b35d7e1702a22975aefbc47a4e5948a5913e0869179769bcb9ce0e7fa71a0ed57f3dcd310d5fce04f29e885fe2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k2920397.exe
Filesize
14KB

MD5
3527632995f18cceb051da361ba63bd2

SHA1
3770e748ff1e6acb195bb962b2872d46900b2602

SHA256
f2e9027ba63e5a6ce9e22d734c9a95f5f6f07f5fcffb2e7dc8d937df5a27e546

SHA512
2aad86212821fe13d8620f07a71db83a258d2b35d7e1702a22975aefbc47a4e5948a5913e0869179769bcb9ce0e7fa71a0ed57f3dcd310d5fce04f29e885fe2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
4b11f167f5e541e7c32a75b15b95bb0d

SHA1
9e20fe99d5e1929cfc91a1b8fe3e87207b2b1c41

SHA256
acf0fc2cc34efb2a52020d7c7713752403af321b836b20c266f5cf2b3c1ad4f8

SHA512
4b507525a06cee24aceaa18be4b5267cb348f90fba82c9ea04ac2bfb7377b6a503c8f7f3119095acf9d5cba03082127c968229b77c65dff4c00a067aacc5fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
4b11f167f5e541e7c32a75b15b95bb0d

SHA1
9e20fe99d5e1929cfc91a1b8fe3e87207b2b1c41

SHA256
acf0fc2cc34efb2a52020d7c7713752403af321b836b20c266f5cf2b3c1ad4f8

SHA512
4b507525a06cee24aceaa18be4b5267cb348f90fba82c9ea04ac2bfb7377b6a503c8f7f3119095acf9d5cba03082127c968229b77c65dff4c00a067aacc5fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
4b11f167f5e541e7c32a75b15b95bb0d

SHA1
9e20fe99d5e1929cfc91a1b8fe3e87207b2b1c41

SHA256
acf0fc2cc34efb2a52020d7c7713752403af321b836b20c266f5cf2b3c1ad4f8

SHA512
4b507525a06cee24aceaa18be4b5267cb348f90fba82c9ea04ac2bfb7377b6a503c8f7f3119095acf9d5cba03082127c968229b77c65dff4c00a067aacc5fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
4b11f167f5e541e7c32a75b15b95bb0d

SHA1
9e20fe99d5e1929cfc91a1b8fe3e87207b2b1c41

SHA256
acf0fc2cc34efb2a52020d7c7713752403af321b836b20c266f5cf2b3c1ad4f8

SHA512
4b507525a06cee24aceaa18be4b5267cb348f90fba82c9ea04ac2bfb7377b6a503c8f7f3119095acf9d5cba03082127c968229b77c65dff4c00a067aacc5fcc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
4b11f167f5e541e7c32a75b15b95bb0d

SHA1
9e20fe99d5e1929cfc91a1b8fe3e87207b2b1c41

SHA256
acf0fc2cc34efb2a52020d7c7713752403af321b836b20c266f5cf2b3c1ad4f8

SHA512
4b507525a06cee24aceaa18be4b5267cb348f90fba82c9ea04ac2bfb7377b6a503c8f7f3119095acf9d5cba03082127c968229b77c65dff4c00a067aacc5fcc1

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/448-183-0x000000000B470000-0x000000000BA14000-memory.dmp

Filesize
5.6MB

Download
memory/448-177-0x000000000A420000-0x000000000A52A000-memory.dmp

Filesize
1.0MB

Download
memory/448-187-0x000000000BBA0000-0x000000000BBF0000-memory.dmp

Filesize
320KB

Download
memory/448-186-0x000000000C2F0000-0x000000000C81C000-memory.dmp

Filesize
5.2MB

Download
memory/448-185-0x000000000BBF0000-0x000000000BDB2000-memory.dmp

Filesize
1.8MB

Download
memory/448-184-0x000000000AFC0000-0x000000000B026000-memory.dmp

Filesize
408KB

Download
memory/448-182-0x000000000A7F0000-0x000000000A882000-memory.dmp

Filesize
584KB

Download
memory/448-181-0x000000000A6D0000-0x000000000A746000-memory.dmp

Filesize
472KB

Download
memory/448-180-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/448-175-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download
memory/448-179-0x000000000A3C0000-0x000000000A3FC000-memory.dmp

Filesize
240KB

Download
memory/448-176-0x000000000A8A0000-0x000000000AEB8000-memory.dmp

Filesize
6.1MB

Download
memory/448-178-0x000000000A360000-0x000000000A372000-memory.dmp

Filesize
72KB

Download
memory/448-188-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/2852-169-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/3244-212-0x0000000005160000-0x0000000005170000-memory.dmp

Filesize
64KB

Download
memory/3244-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/5064-161-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download