redline | 949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c

Analysis

max time kernel
110s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe
Size

771KB
MD5

56dfca310268607e5ea49e968b613b55
SHA1

2b11bec997c638f98120f06b90736867584d7fdd
SHA256

949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c
SHA512

ac88ce61456b0ef8e720bedcecb85aaf56daefab3cffa59a51bd2298cfd8684e8935d6376fd190b4de9360c03c1e7957b4d7236f38d0c32786f2e8d7b06115ff
SSDEEP

24576:1yVwpIA+7uKoFyhqvdAD0F3wFByJTdA6:QI+6KoFy0dAD0F6w

Score

10^/10

redline duha sheron evasion infostealer persistence spyware trojan

Malware Config

Extracted

Family

redline

Botnet

duha

83.97.73.129:19068

Attributes

auth_value
aafe99874c3b8854069470882e00246c

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exek3565284.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3565284.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3565284.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k3565284.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3565284.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3565284.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3565284.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

lamod.exem6371014.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	lamod.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	m6371014.exe

Executes dropped EXE 11 IoCs

Processes:

y3671184.exey1347604.exey2293302.exej1127152.exek3565284.exel1960696.exem6371014.exelamod.exen2459644.exelamod.exelamod.exe

pid	process
4652	y3671184.exe
2156	y1347604.exe
1232	y2293302.exe
3928	j1127152.exe
748	k3565284.exe
4708	l1960696.exe
3904	m6371014.exe
2916	lamod.exe
2384	n2459644.exe
4436	lamod.exe
3356	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4904 rundll32.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

k3565284.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k3565284.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4904	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3565284.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y3671184.exey1347604.exey2293302.exe949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3671184.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y3671184.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1347604.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1347604.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y2293302.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y2293302.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

j1127152.exen2459644.exe

description	pid	process	target process
PID 3928 set thread context of 5116	3928	j1127152.exe	AppLaunch.exe
PID 2384 set thread context of 3360	2384	n2459644.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

236 3928 WerFault.exe j1127152.exe
2824 4708 WerFault.exe l1960696.exe
3832 2384 WerFault.exe n2459644.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2444 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AppLaunch.exek3565284.exeAppLaunch.exe

pid process

5116 AppLaunch.exe
5116 AppLaunch.exe
748 k3565284.exe
748 k3565284.exe
3360 AppLaunch.exe
3360 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AppLaunch.exek3565284.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 5116 AppLaunch.exe
Token: SeDebugPrivilege 748 k3565284.exe
Token: SeDebugPrivilege 3360 AppLaunch.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

m6371014.exe

pid process

3904 m6371014.exe

pid	pid_target	process	target process
236	3928	WerFault.exe	j1127152.exe
2824	4708	WerFault.exe	l1960696.exe
3832	2384	WerFault.exe	n2459644.exe

pid	process
2444	schtasks.exe

pid	process
5116	AppLaunch.exe
5116	AppLaunch.exe
748	k3565284.exe
748	k3565284.exe
3360	AppLaunch.exe
3360	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	5116	AppLaunch.exe
Token: SeDebugPrivilege	748	k3565284.exe
Token: SeDebugPrivilege	3360	AppLaunch.exe

pid	process
3904	m6371014.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exey3671184.exey1347604.exey2293302.exej1127152.exem6371014.exelamod.execmd.exen2459644.exe

description	pid	process	target process
PID 4100 wrote to memory of 4652	4100	949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe	y3671184.exe
PID 4100 wrote to memory of 4652	4100	949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe	y3671184.exe
PID 4100 wrote to memory of 4652	4100	949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe	y3671184.exe
PID 4652 wrote to memory of 2156	4652	y3671184.exe	y1347604.exe
PID 4652 wrote to memory of 2156	4652	y3671184.exe	y1347604.exe
PID 4652 wrote to memory of 2156	4652	y3671184.exe	y1347604.exe
PID 2156 wrote to memory of 1232	2156	y1347604.exe	y2293302.exe
PID 2156 wrote to memory of 1232	2156	y1347604.exe	y2293302.exe
PID 2156 wrote to memory of 1232	2156	y1347604.exe	y2293302.exe
PID 1232 wrote to memory of 3928	1232	y2293302.exe	j1127152.exe
PID 1232 wrote to memory of 3928	1232	y2293302.exe	j1127152.exe
PID 1232 wrote to memory of 3928	1232	y2293302.exe	j1127152.exe
PID 3928 wrote to memory of 5116	3928	j1127152.exe	AppLaunch.exe
PID 3928 wrote to memory of 5116	3928	j1127152.exe	AppLaunch.exe
PID 3928 wrote to memory of 5116	3928	j1127152.exe	AppLaunch.exe
PID 3928 wrote to memory of 5116	3928	j1127152.exe	AppLaunch.exe
PID 3928 wrote to memory of 5116	3928	j1127152.exe	AppLaunch.exe
PID 1232 wrote to memory of 748	1232	y2293302.exe	k3565284.exe
PID 1232 wrote to memory of 748	1232	y2293302.exe	k3565284.exe
PID 2156 wrote to memory of 4708	2156	y1347604.exe	l1960696.exe
PID 2156 wrote to memory of 4708	2156	y1347604.exe	l1960696.exe
PID 2156 wrote to memory of 4708	2156	y1347604.exe	l1960696.exe
PID 4652 wrote to memory of 3904	4652	y3671184.exe	m6371014.exe
PID 4652 wrote to memory of 3904	4652	y3671184.exe	m6371014.exe
PID 4652 wrote to memory of 3904	4652	y3671184.exe	m6371014.exe
PID 3904 wrote to memory of 2916	3904	m6371014.exe	lamod.exe
PID 3904 wrote to memory of 2916	3904	m6371014.exe	lamod.exe
PID 3904 wrote to memory of 2916	3904	m6371014.exe	lamod.exe
PID 4100 wrote to memory of 2384	4100	949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe	n2459644.exe
PID 4100 wrote to memory of 2384	4100	949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe	n2459644.exe
PID 4100 wrote to memory of 2384	4100	949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe	n2459644.exe
PID 2916 wrote to memory of 2444	2916	lamod.exe	schtasks.exe
PID 2916 wrote to memory of 2444	2916	lamod.exe	schtasks.exe
PID 2916 wrote to memory of 2444	2916	lamod.exe	schtasks.exe
PID 2916 wrote to memory of 3836	2916	lamod.exe	cmd.exe
PID 2916 wrote to memory of 3836	2916	lamod.exe	cmd.exe
PID 2916 wrote to memory of 3836	2916	lamod.exe	cmd.exe
PID 3836 wrote to memory of 452	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 452	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 452	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 2064	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 2064	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 2064	3836	cmd.exe	cacls.exe
PID 2384 wrote to memory of 3360	2384	n2459644.exe	AppLaunch.exe
PID 2384 wrote to memory of 3360	2384	n2459644.exe	AppLaunch.exe
PID 2384 wrote to memory of 3360	2384	n2459644.exe	AppLaunch.exe
PID 2384 wrote to memory of 3360	2384	n2459644.exe	AppLaunch.exe
PID 3836 wrote to memory of 3612	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 3612	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 3612	3836	cmd.exe	cacls.exe
PID 2384 wrote to memory of 3360	2384	n2459644.exe	AppLaunch.exe
PID 3836 wrote to memory of 3372	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 3372	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 3372	3836	cmd.exe	cmd.exe
PID 3836 wrote to memory of 4264	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 4264	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 4264	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 3528	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 3528	3836	cmd.exe	cacls.exe
PID 3836 wrote to memory of 3528	3836	cmd.exe	cacls.exe
PID 2916 wrote to memory of 4904	2916	lamod.exe	rundll32.exe
PID 2916 wrote to memory of 4904	2916	lamod.exe	rundll32.exe
PID 2916 wrote to memory of 4904	2916	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe
"C:\Users\Admin\AppData\Local\Temp\949c88f265cc9e650b26fa6b487b9ce8531f7514c49b6202ef0d11ecc731e16c.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3671184.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3671184.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4652

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1347604.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1347604.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2156

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2293302.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2293302.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1232

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j1127152.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j1127152.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3928 -s 152
6⤵
- Program crash
PID:236

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3565284.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3565284.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1960696.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1960696.exe
4⤵
- Executes dropped EXE
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4708 -s 928
5⤵
- Program crash
PID:2824

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6371014.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6371014.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3904

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:2444

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:3836

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:452

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:2064

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:3612

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3372

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:4264

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:3528

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:4904

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2459644.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2459644.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2384

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 152
3⤵
- Program crash
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3928 -ip 3928
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4708 -ip 4708
1⤵
PID:3632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2384 -ip 2384
1⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:3356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2459644.exe
Filesize
308KB

MD5
ef4f6053e5b87a6fa68d0ab8a6ab3d4b

SHA1
3f72c9ad22a2edcd3ebf9b54253c25e26791ba11

SHA256
b2c2730c7f9b1ceb3985b2202e63a9b4dee5853fb7d1782f555639c4f397b83d

SHA512
ee192e824c8e948fc0e0aaa86592c957f69a98561933ddbecaf46c8c0c3b63ac24f0049d6598703c1a719c4e20d8578d51817840261786ea675d74bbbfabed5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n2459644.exe
Filesize
308KB

MD5
ef4f6053e5b87a6fa68d0ab8a6ab3d4b

SHA1
3f72c9ad22a2edcd3ebf9b54253c25e26791ba11

SHA256
b2c2730c7f9b1ceb3985b2202e63a9b4dee5853fb7d1782f555639c4f397b83d

SHA512
ee192e824c8e948fc0e0aaa86592c957f69a98561933ddbecaf46c8c0c3b63ac24f0049d6598703c1a719c4e20d8578d51817840261786ea675d74bbbfabed5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3671184.exe
Filesize
548KB

MD5
81aded9b0d01c2a13c96a29ffde935d9

SHA1
e5af79e0cf44a8177137a247e2ee476cec542655

SHA256
1d3d5720ca6f5ea6355e824abafa2597ccc8297592020d627756ff926934d54f

SHA512
a5e6e1e073d5f393cc17d93148d61f183985c22381d079776b86f8d1718822290b9f4fcf772fb6f495934506da2f6cfe2f060255efb027490fc1aa09f560c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y3671184.exe
Filesize
548KB

MD5
81aded9b0d01c2a13c96a29ffde935d9

SHA1
e5af79e0cf44a8177137a247e2ee476cec542655

SHA256
1d3d5720ca6f5ea6355e824abafa2597ccc8297592020d627756ff926934d54f

SHA512
a5e6e1e073d5f393cc17d93148d61f183985c22381d079776b86f8d1718822290b9f4fcf772fb6f495934506da2f6cfe2f060255efb027490fc1aa09f560c599

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6371014.exe
Filesize
208KB

MD5
cfd158cdd58427daa191c0e6eeb0fd63

SHA1
afec3a80998e215acf891581281db488203937b7

SHA256
8734990c6cbb4bbd3377e19bd189a2d1b82b2325e20e66ae649271a4f05e1ac9

SHA512
24d86034c31df9fb43ebc3e9cad02058ff871a4ff14a4b417313b948e87b0fae1f1b6c91d4d34faabbfd56b6ea4c10c30b5c4cee7dc1717647899813c03a4499

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m6371014.exe
Filesize
208KB

MD5
cfd158cdd58427daa191c0e6eeb0fd63

SHA1
afec3a80998e215acf891581281db488203937b7

SHA256
8734990c6cbb4bbd3377e19bd189a2d1b82b2325e20e66ae649271a4f05e1ac9

SHA512
24d86034c31df9fb43ebc3e9cad02058ff871a4ff14a4b417313b948e87b0fae1f1b6c91d4d34faabbfd56b6ea4c10c30b5c4cee7dc1717647899813c03a4499

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1347604.exe
Filesize
376KB

MD5
6dcef6f260e3a7842c83b5c63df6786f

SHA1
690de40d85c49cb28a636bdb4a3c60cf463224a6

SHA256
f7aa8626aecd71c969811fb3a4bfc1390038b1cba834f15d5c568663d92ffbd3

SHA512
1ec3ac01116167ebe67e7e8fa25df3b87e8c5accde74d375bb4d7b0edbbe4b841e4b9c8ff0dbc57f68259a69ab3f9024cd14494c00bfde6bfecd0cfea763410d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1347604.exe
Filesize
376KB

MD5
6dcef6f260e3a7842c83b5c63df6786f

SHA1
690de40d85c49cb28a636bdb4a3c60cf463224a6

SHA256
f7aa8626aecd71c969811fb3a4bfc1390038b1cba834f15d5c568663d92ffbd3

SHA512
1ec3ac01116167ebe67e7e8fa25df3b87e8c5accde74d375bb4d7b0edbbe4b841e4b9c8ff0dbc57f68259a69ab3f9024cd14494c00bfde6bfecd0cfea763410d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1960696.exe
Filesize
172KB

MD5
901469ca65d13e5836305e0eacb3762b

SHA1
ca222e88428b3cfd42ce90a781cb4e8d204e28ec

SHA256
bcb9745358e6c036270508b436a2510614571846031656b7aa49339f8bbc6ae5

SHA512
5b4bb87d2ca32b078c6fa3f57ea951172cb09535063a0516579dafa7223b907388c2ebd0f59e64697e812cae4145877cef87b257b2aaed23640715eb827e6247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l1960696.exe
Filesize
172KB

MD5
901469ca65d13e5836305e0eacb3762b

SHA1
ca222e88428b3cfd42ce90a781cb4e8d204e28ec

SHA256
bcb9745358e6c036270508b436a2510614571846031656b7aa49339f8bbc6ae5

SHA512
5b4bb87d2ca32b078c6fa3f57ea951172cb09535063a0516579dafa7223b907388c2ebd0f59e64697e812cae4145877cef87b257b2aaed23640715eb827e6247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2293302.exe
Filesize
220KB

MD5
eb3e4f0c419dc026ff0219b45f82dd98

SHA1
8b557ad54e95f268f9e873c94db4b647a0055658

SHA256
782b8cf04823e826cfbeeb4d7e097e7b650ec2325ec72dfb0f7cf5d670c5bb69

SHA512
c2dff4ed1be21a5ba915e606de35f05e96557a9c6e7f5dd3e14f1bb3eff161c4775ef757dccf2369b3e06fdb42dc691fddb3c40eb6740804b1cef1ea2c238e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y2293302.exe
Filesize
220KB

MD5
eb3e4f0c419dc026ff0219b45f82dd98

SHA1
8b557ad54e95f268f9e873c94db4b647a0055658

SHA256
782b8cf04823e826cfbeeb4d7e097e7b650ec2325ec72dfb0f7cf5d670c5bb69

SHA512
c2dff4ed1be21a5ba915e606de35f05e96557a9c6e7f5dd3e14f1bb3eff161c4775ef757dccf2369b3e06fdb42dc691fddb3c40eb6740804b1cef1ea2c238e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j1127152.exe
Filesize
147KB

MD5
bb10f06c37981083757e43e73a65c73b

SHA1
3960badf7e1f3298310fdb2b990ad75e7e746297

SHA256
4754a5b73ca1462e9c02349d40e3d75aa521bf929f882d4520acedfecf105e9a

SHA512
4b57d25390b338a394cfb211979af3c3de35f4d297788438a95558dde17fd55efb14961e85374c703c11b8688390b14ec2e86bc03f5456b2a674043dfcba9221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j1127152.exe
Filesize
147KB

MD5
bb10f06c37981083757e43e73a65c73b

SHA1
3960badf7e1f3298310fdb2b990ad75e7e746297

SHA256
4754a5b73ca1462e9c02349d40e3d75aa521bf929f882d4520acedfecf105e9a

SHA512
4b57d25390b338a394cfb211979af3c3de35f4d297788438a95558dde17fd55efb14961e85374c703c11b8688390b14ec2e86bc03f5456b2a674043dfcba9221

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3565284.exe
Filesize
14KB

MD5
fed842275574107bab8ae4bea0e1e994

SHA1
21223f31a7d0658dd6adc8ba7c6572316afaf93d

SHA256
10a61874c9988952dd5ed76c41adfad94ed7cd4fe9969c11c1f758a5cbbb90d7

SHA512
bca7029b9fa68e6df3fe9eeef08e00c25f69d253c3875387fb9a8fc9294d8a41b85579294a9554915816fe996c5c41fad4df70f41d8d6b02573d0513151b962f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3565284.exe
Filesize
14KB

MD5
fed842275574107bab8ae4bea0e1e994

SHA1
21223f31a7d0658dd6adc8ba7c6572316afaf93d

SHA256
10a61874c9988952dd5ed76c41adfad94ed7cd4fe9969c11c1f758a5cbbb90d7

SHA512
bca7029b9fa68e6df3fe9eeef08e00c25f69d253c3875387fb9a8fc9294d8a41b85579294a9554915816fe996c5c41fad4df70f41d8d6b02573d0513151b962f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
cfd158cdd58427daa191c0e6eeb0fd63

SHA1
afec3a80998e215acf891581281db488203937b7

SHA256
8734990c6cbb4bbd3377e19bd189a2d1b82b2325e20e66ae649271a4f05e1ac9

SHA512
24d86034c31df9fb43ebc3e9cad02058ff871a4ff14a4b417313b948e87b0fae1f1b6c91d4d34faabbfd56b6ea4c10c30b5c4cee7dc1717647899813c03a4499

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
cfd158cdd58427daa191c0e6eeb0fd63

SHA1
afec3a80998e215acf891581281db488203937b7

SHA256
8734990c6cbb4bbd3377e19bd189a2d1b82b2325e20e66ae649271a4f05e1ac9

SHA512
24d86034c31df9fb43ebc3e9cad02058ff871a4ff14a4b417313b948e87b0fae1f1b6c91d4d34faabbfd56b6ea4c10c30b5c4cee7dc1717647899813c03a4499

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
cfd158cdd58427daa191c0e6eeb0fd63

SHA1
afec3a80998e215acf891581281db488203937b7

SHA256
8734990c6cbb4bbd3377e19bd189a2d1b82b2325e20e66ae649271a4f05e1ac9

SHA512
24d86034c31df9fb43ebc3e9cad02058ff871a4ff14a4b417313b948e87b0fae1f1b6c91d4d34faabbfd56b6ea4c10c30b5c4cee7dc1717647899813c03a4499

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
cfd158cdd58427daa191c0e6eeb0fd63

SHA1
afec3a80998e215acf891581281db488203937b7

SHA256
8734990c6cbb4bbd3377e19bd189a2d1b82b2325e20e66ae649271a4f05e1ac9

SHA512
24d86034c31df9fb43ebc3e9cad02058ff871a4ff14a4b417313b948e87b0fae1f1b6c91d4d34faabbfd56b6ea4c10c30b5c4cee7dc1717647899813c03a4499

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
cfd158cdd58427daa191c0e6eeb0fd63

SHA1
afec3a80998e215acf891581281db488203937b7

SHA256
8734990c6cbb4bbd3377e19bd189a2d1b82b2325e20e66ae649271a4f05e1ac9

SHA512
24d86034c31df9fb43ebc3e9cad02058ff871a4ff14a4b417313b948e87b0fae1f1b6c91d4d34faabbfd56b6ea4c10c30b5c4cee7dc1717647899813c03a4499

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/748-169-0x0000000000F80000-0x0000000000F8A000-memory.dmp

Filesize
40KB

Download
memory/3360-209-0x000000000C190000-0x000000000C352000-memory.dmp

Filesize
1.8MB

Download
memory/3360-208-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/3360-203-0x000000000AB70000-0x000000000ABE6000-memory.dmp

Filesize
472KB

Download
memory/3360-204-0x000000000AC90000-0x000000000AD22000-memory.dmp

Filesize
584KB

Download
memory/3360-205-0x000000000B970000-0x000000000BF14000-memory.dmp

Filesize
5.6MB

Download
memory/3360-206-0x000000000AD30000-0x000000000AD96000-memory.dmp

Filesize
408KB

Download
memory/3360-207-0x000000000BF70000-0x000000000BFC0000-memory.dmp

Filesize
320KB

Download
memory/3360-202-0x00000000053F0000-0x0000000005400000-memory.dmp

Filesize
64KB

Download
memory/3360-201-0x000000000A860000-0x000000000A89C000-memory.dmp

Filesize
240KB

Download
memory/3360-210-0x000000000C890000-0x000000000CDBC000-memory.dmp

Filesize
5.2MB

Download
memory/3360-200-0x000000000A800000-0x000000000A812000-memory.dmp

Filesize
72KB

Download
memory/3360-199-0x000000000A8C0000-0x000000000A9CA000-memory.dmp

Filesize
1.0MB

Download
memory/3360-198-0x000000000ADA0000-0x000000000B3B8000-memory.dmp

Filesize
6.1MB

Download
memory/3360-192-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4708-175-0x0000000000F30000-0x0000000000F60000-memory.dmp

Filesize
192KB

Download
memory/5116-161-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download