redline | ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825

Analysis

max time kernel
138s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 15:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe
Size

769KB
MD5

2c07a4dcc55623324990642eb3348f6e
SHA1

34cd045078165706c16f989758d208a00638c616
SHA256

ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825
SHA512

b07cdd9a36a00540feef543d522106b7be67acb14538e65eb69bc7434af893ca5622afb805547280eb086007657d32ce2025bf1e0080baa112bff99704e117f6
SSDEEP

12288:HMriy90sdRUz8lj8kXgNXBWYvePi82VABjPFENZkuhVLDjcewI43x6VVp5ODq:lybbsBWlPP2WBjFsk0VLDIpjh66Dq

Score

10^/10

redline duha sheron evasion infostealer persistence spyware trojan

Malware Config

Extracted

Family

redline

Botnet

duha

83.97.73.129:19068

Attributes

auth_value
aafe99874c3b8854069470882e00246c

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exek0165398.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k0165398.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k0165398.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k0165398.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k0165398.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k0165398.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k0165398.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

m9243109.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	m9243109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 12 IoCs

Processes:

y0082598.exey1813055.exey7429120.exej8551380.exek0165398.exel7673835.exem9243109.exelamod.exen7775504.exelamod.exelamod.exelamod.exe

pid	process
2992	y0082598.exe
5024	y1813055.exe
1072	y7429120.exe
1284	j8551380.exe
632	k0165398.exe
3456	l7673835.exe
384	m9243109.exe
4964	lamod.exe
3336	n7775504.exe
3948	lamod.exe
4936	lamod.exe
4356	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4520 rundll32.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

k0165398.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k0165398.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4520	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k0165398.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y1813055.exey7429120.exeab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exey0082598.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y1813055.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y7429120.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y7429120.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0082598.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y0082598.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y1813055.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

j8551380.exen7775504.exe

description	pid	process	target process
PID 1284 set thread context of 4256	1284	j8551380.exe	AppLaunch.exe
PID 3336 set thread context of 4444	3336	n7775504.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4604 1284 WerFault.exe j8551380.exe
1868 3456 WerFault.exe l7673835.exe
3788 3336 WerFault.exe n7775504.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2880 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

AppLaunch.exek0165398.exeAppLaunch.exe

pid process

4256 AppLaunch.exe
4256 AppLaunch.exe
632 k0165398.exe
632 k0165398.exe
4444 AppLaunch.exe
4444 AppLaunch.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AppLaunch.exek0165398.exeAppLaunch.exe

description pid process

Token: SeDebugPrivilege 4256 AppLaunch.exe
Token: SeDebugPrivilege 632 k0165398.exe
Token: SeDebugPrivilege 4444 AppLaunch.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

m9243109.exe

pid process

384 m9243109.exe

pid	pid_target	process	target process
4604	1284	WerFault.exe	j8551380.exe
1868	3456	WerFault.exe	l7673835.exe
3788	3336	WerFault.exe	n7775504.exe

pid	process
2880	schtasks.exe

pid	process
4256	AppLaunch.exe
4256	AppLaunch.exe
632	k0165398.exe
632	k0165398.exe
4444	AppLaunch.exe
4444	AppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4256	AppLaunch.exe
Token: SeDebugPrivilege	632	k0165398.exe
Token: SeDebugPrivilege	4444	AppLaunch.exe

pid	process
384	m9243109.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exey0082598.exey1813055.exey7429120.exej8551380.exem9243109.exelamod.execmd.exen7775504.exe

description	pid	process	target process
PID 4668 wrote to memory of 2992	4668	ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe	y0082598.exe
PID 4668 wrote to memory of 2992	4668	ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe	y0082598.exe
PID 4668 wrote to memory of 2992	4668	ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe	y0082598.exe
PID 2992 wrote to memory of 5024	2992	y0082598.exe	y1813055.exe
PID 2992 wrote to memory of 5024	2992	y0082598.exe	y1813055.exe
PID 2992 wrote to memory of 5024	2992	y0082598.exe	y1813055.exe
PID 5024 wrote to memory of 1072	5024	y1813055.exe	y7429120.exe
PID 5024 wrote to memory of 1072	5024	y1813055.exe	y7429120.exe
PID 5024 wrote to memory of 1072	5024	y1813055.exe	y7429120.exe
PID 1072 wrote to memory of 1284	1072	y7429120.exe	j8551380.exe
PID 1072 wrote to memory of 1284	1072	y7429120.exe	j8551380.exe
PID 1072 wrote to memory of 1284	1072	y7429120.exe	j8551380.exe
PID 1284 wrote to memory of 4256	1284	j8551380.exe	AppLaunch.exe
PID 1284 wrote to memory of 4256	1284	j8551380.exe	AppLaunch.exe
PID 1284 wrote to memory of 4256	1284	j8551380.exe	AppLaunch.exe
PID 1284 wrote to memory of 4256	1284	j8551380.exe	AppLaunch.exe
PID 1284 wrote to memory of 4256	1284	j8551380.exe	AppLaunch.exe
PID 1072 wrote to memory of 632	1072	y7429120.exe	k0165398.exe
PID 1072 wrote to memory of 632	1072	y7429120.exe	k0165398.exe
PID 5024 wrote to memory of 3456	5024	y1813055.exe	l7673835.exe
PID 5024 wrote to memory of 3456	5024	y1813055.exe	l7673835.exe
PID 5024 wrote to memory of 3456	5024	y1813055.exe	l7673835.exe
PID 2992 wrote to memory of 384	2992	y0082598.exe	m9243109.exe
PID 2992 wrote to memory of 384	2992	y0082598.exe	m9243109.exe
PID 2992 wrote to memory of 384	2992	y0082598.exe	m9243109.exe
PID 384 wrote to memory of 4964	384	m9243109.exe	lamod.exe
PID 384 wrote to memory of 4964	384	m9243109.exe	lamod.exe
PID 384 wrote to memory of 4964	384	m9243109.exe	lamod.exe
PID 4668 wrote to memory of 3336	4668	ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe	n7775504.exe
PID 4668 wrote to memory of 3336	4668	ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe	n7775504.exe
PID 4668 wrote to memory of 3336	4668	ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe	n7775504.exe
PID 4964 wrote to memory of 2880	4964	lamod.exe	schtasks.exe
PID 4964 wrote to memory of 2880	4964	lamod.exe	schtasks.exe
PID 4964 wrote to memory of 2880	4964	lamod.exe	schtasks.exe
PID 4964 wrote to memory of 1420	4964	lamod.exe	cmd.exe
PID 4964 wrote to memory of 1420	4964	lamod.exe	cmd.exe
PID 4964 wrote to memory of 1420	4964	lamod.exe	cmd.exe
PID 1420 wrote to memory of 1896	1420	cmd.exe	cmd.exe
PID 1420 wrote to memory of 1896	1420	cmd.exe	cmd.exe
PID 1420 wrote to memory of 1896	1420	cmd.exe	cmd.exe
PID 1420 wrote to memory of 1016	1420	cmd.exe	cacls.exe
PID 1420 wrote to memory of 1016	1420	cmd.exe	cacls.exe
PID 1420 wrote to memory of 1016	1420	cmd.exe	cacls.exe
PID 3336 wrote to memory of 4444	3336	n7775504.exe	AppLaunch.exe
PID 3336 wrote to memory of 4444	3336	n7775504.exe	AppLaunch.exe
PID 3336 wrote to memory of 4444	3336	n7775504.exe	AppLaunch.exe
PID 3336 wrote to memory of 4444	3336	n7775504.exe	AppLaunch.exe
PID 3336 wrote to memory of 4444	3336	n7775504.exe	AppLaunch.exe
PID 1420 wrote to memory of 3672	1420	cmd.exe	cacls.exe
PID 1420 wrote to memory of 3672	1420	cmd.exe	cacls.exe
PID 1420 wrote to memory of 3672	1420	cmd.exe	cacls.exe
PID 1420 wrote to memory of 3436	1420	cmd.exe	cmd.exe
PID 1420 wrote to memory of 3436	1420	cmd.exe	cmd.exe
PID 1420 wrote to memory of 3436	1420	cmd.exe	cmd.exe
PID 1420 wrote to memory of 4052	1420	cmd.exe	cacls.exe
PID 1420 wrote to memory of 4052	1420	cmd.exe	cacls.exe
PID 1420 wrote to memory of 4052	1420	cmd.exe	cacls.exe
PID 1420 wrote to memory of 984	1420	cmd.exe	cacls.exe
PID 1420 wrote to memory of 984	1420	cmd.exe	cacls.exe
PID 1420 wrote to memory of 984	1420	cmd.exe	cacls.exe
PID 4964 wrote to memory of 4520	4964	lamod.exe	rundll32.exe
PID 4964 wrote to memory of 4520	4964	lamod.exe	rundll32.exe
PID 4964 wrote to memory of 4520	4964	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe
"C:\Users\Admin\AppData\Local\Temp\ab2ff4a1a81127eb389aac308d0c5164d797ead7055cfc10757697530d862825.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0082598.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0082598.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1813055.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1813055.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5024

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y7429120.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y7429120.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8551380.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8551380.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 152
6⤵
- Program crash
PID:4604

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k0165398.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k0165398.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7673835.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7673835.exe
4⤵
- Executes dropped EXE
PID:3456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 928
5⤵
- Program crash
PID:1868

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9243109.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9243109.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:384

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:2880

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:1420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1896

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:1016

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:3672

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:3436

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:4052

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:984

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:4520

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7775504.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7775504.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 148
3⤵
- Program crash
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1284 -ip 1284
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3456 -ip 3456
1⤵
PID:3848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3336 -ip 3336
1⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4936

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7775504.exe
Filesize
307KB

MD5
e0d53e956713301de1549536e279b25e

SHA1
68ada2464a751aaf09909172ffad9db6cbd40e6b

SHA256
e505ed76d2380271f6589093aa50cdbf09522758237f0f73c11e8ccc4805ddf9

SHA512
7ed7701001ead6ffa410cf182eed98319ce3ea0675447f64f82999653fab4f280614a0c92c85a1b085b003e8f5301c61740b2867b0292a7627fea297ba555f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7775504.exe
Filesize
307KB

MD5
e0d53e956713301de1549536e279b25e

SHA1
68ada2464a751aaf09909172ffad9db6cbd40e6b

SHA256
e505ed76d2380271f6589093aa50cdbf09522758237f0f73c11e8ccc4805ddf9

SHA512
7ed7701001ead6ffa410cf182eed98319ce3ea0675447f64f82999653fab4f280614a0c92c85a1b085b003e8f5301c61740b2867b0292a7627fea297ba555f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0082598.exe
Filesize
547KB

MD5
33a800f429c6231744623206acac9f9e

SHA1
0c7ed4253c423751fafd62193965aab3248d15fa

SHA256
ff2f629c4509a73bfb43270be3d877d1723fda7bc9f40ec7a4d4d6a0c311aa07

SHA512
2bc90aec1a4b6e3899e6d464e94bb83e1e7c552a8a8d16a91da12f327f75b052456faa4ca98cec0d7d72f0d6a1df5cd3925dd8432a4ed1b607045778e51c0c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y0082598.exe
Filesize
547KB

MD5
33a800f429c6231744623206acac9f9e

SHA1
0c7ed4253c423751fafd62193965aab3248d15fa

SHA256
ff2f629c4509a73bfb43270be3d877d1723fda7bc9f40ec7a4d4d6a0c311aa07

SHA512
2bc90aec1a4b6e3899e6d464e94bb83e1e7c552a8a8d16a91da12f327f75b052456faa4ca98cec0d7d72f0d6a1df5cd3925dd8432a4ed1b607045778e51c0c4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9243109.exe
Filesize
208KB

MD5
6282f5a5bf312690c855999260cafbce

SHA1
bb5e1d175c4fedc86eb994248c5f6127c64b131b

SHA256
54922fd885dc020a6c87485ab7f9ddc959e60aeedc28972d73621c5c1e60e6bf

SHA512
948c230e5f0b8a8730736c94b853aeef604eff9a667890863b24b4b8b0595a215c8a1a3a0c5655a73d69c8fba43becff936acd9ced5428e21fe0e0f224016a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m9243109.exe
Filesize
208KB

MD5
6282f5a5bf312690c855999260cafbce

SHA1
bb5e1d175c4fedc86eb994248c5f6127c64b131b

SHA256
54922fd885dc020a6c87485ab7f9ddc959e60aeedc28972d73621c5c1e60e6bf

SHA512
948c230e5f0b8a8730736c94b853aeef604eff9a667890863b24b4b8b0595a215c8a1a3a0c5655a73d69c8fba43becff936acd9ced5428e21fe0e0f224016a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1813055.exe
Filesize
375KB

MD5
aac8b38ab95e1229d78050d2d2eb7a15

SHA1
cc549b92b61e56c6d4f7cdb5a38b6f458ab16abf

SHA256
38ec1c581817e530d198fc6c5fd84f4bc975eb7d95036fbd184423b970bb06e4

SHA512
89defd4ac61ce733e7220b11207c918ae925e4b650d9d8695cf266055c3ee8c17182f64e7f005f3962bd6dae15c0a95f3676631e57ceaebed27fdd5dca2eca6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1813055.exe
Filesize
375KB

MD5
aac8b38ab95e1229d78050d2d2eb7a15

SHA1
cc549b92b61e56c6d4f7cdb5a38b6f458ab16abf

SHA256
38ec1c581817e530d198fc6c5fd84f4bc975eb7d95036fbd184423b970bb06e4

SHA512
89defd4ac61ce733e7220b11207c918ae925e4b650d9d8695cf266055c3ee8c17182f64e7f005f3962bd6dae15c0a95f3676631e57ceaebed27fdd5dca2eca6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7673835.exe
Filesize
172KB

MD5
b955b944d66fc496c4fed1fbeb83d93e

SHA1
fab9ee758a0a37b180b94907c28c325245e416c0

SHA256
c2f37a4884a5e90d788fd10315c404a3f0d63c11a92214036ad8bdd33894430e

SHA512
085eb36e9e54894d0de3ed5d87ce7f59e68678143b810d07575358948d2dbcda96d102a1c6f7ca2eb4d3ec2e1b7a6113bc8f4820800b564084ca356d0a25538b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l7673835.exe
Filesize
172KB

MD5
b955b944d66fc496c4fed1fbeb83d93e

SHA1
fab9ee758a0a37b180b94907c28c325245e416c0

SHA256
c2f37a4884a5e90d788fd10315c404a3f0d63c11a92214036ad8bdd33894430e

SHA512
085eb36e9e54894d0de3ed5d87ce7f59e68678143b810d07575358948d2dbcda96d102a1c6f7ca2eb4d3ec2e1b7a6113bc8f4820800b564084ca356d0a25538b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y7429120.exe
Filesize
220KB

MD5
288bfb515cd0a51beec15e847d2147aa

SHA1
6305d89e6bdd782ff45e523f44d334ea8b03f899

SHA256
92b8959406c90346b42f44c7f55f8d2ba1d26d3b2a1b49328dc88c1e7c88af56

SHA512
2782ee5de7c6db3d995be46514fa1fedd3de6c1537a7acc5a2ddff56f7595d9c260da1bb55c7b7970012886500723a970a58a18a4fed9e682a1dc90673a23fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y7429120.exe
Filesize
220KB

MD5
288bfb515cd0a51beec15e847d2147aa

SHA1
6305d89e6bdd782ff45e523f44d334ea8b03f899

SHA256
92b8959406c90346b42f44c7f55f8d2ba1d26d3b2a1b49328dc88c1e7c88af56

SHA512
2782ee5de7c6db3d995be46514fa1fedd3de6c1537a7acc5a2ddff56f7595d9c260da1bb55c7b7970012886500723a970a58a18a4fed9e682a1dc90673a23fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8551380.exe
Filesize
147KB

MD5
9aacf798233166dcc497e4aa54dbce0d

SHA1
af86ae700a93739d0ffd1f31dcac00f3026e2938

SHA256
7d4d0b262cffc00d78e73e509cd9fd87b82a6b72ad7970ee28178e6466c40c75

SHA512
29134b7b1762babaf52481476f06d2b0c9e165413793dce2bf53db44aa279317b0ff7faca698ef0677936a2a9b6680fb45bf371e03c622c702aac8b5d58b0be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j8551380.exe
Filesize
147KB

MD5
9aacf798233166dcc497e4aa54dbce0d

SHA1
af86ae700a93739d0ffd1f31dcac00f3026e2938

SHA256
7d4d0b262cffc00d78e73e509cd9fd87b82a6b72ad7970ee28178e6466c40c75

SHA512
29134b7b1762babaf52481476f06d2b0c9e165413793dce2bf53db44aa279317b0ff7faca698ef0677936a2a9b6680fb45bf371e03c622c702aac8b5d58b0be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k0165398.exe
Filesize
14KB

MD5
80fdbfb355171996e19cad0c84320994

SHA1
de992e139307cc4697c13bba1b66176cedee5cee

SHA256
55441345215f463faee12bc74ce23840d2777de54818e733fb9a3967728fed39

SHA512
64b6c51b6a9738b6b1d65cc5a0e77b19ac50ab0c1f17879ca051bc1aa7d324553116380627dc3fe9ce0067ed6e16653f2b44f96a04d395ec63bb70884133130f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k0165398.exe
Filesize
14KB

MD5
80fdbfb355171996e19cad0c84320994

SHA1
de992e139307cc4697c13bba1b66176cedee5cee

SHA256
55441345215f463faee12bc74ce23840d2777de54818e733fb9a3967728fed39

SHA512
64b6c51b6a9738b6b1d65cc5a0e77b19ac50ab0c1f17879ca051bc1aa7d324553116380627dc3fe9ce0067ed6e16653f2b44f96a04d395ec63bb70884133130f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
6282f5a5bf312690c855999260cafbce

SHA1
bb5e1d175c4fedc86eb994248c5f6127c64b131b

SHA256
54922fd885dc020a6c87485ab7f9ddc959e60aeedc28972d73621c5c1e60e6bf

SHA512
948c230e5f0b8a8730736c94b853aeef604eff9a667890863b24b4b8b0595a215c8a1a3a0c5655a73d69c8fba43becff936acd9ced5428e21fe0e0f224016a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
6282f5a5bf312690c855999260cafbce

SHA1
bb5e1d175c4fedc86eb994248c5f6127c64b131b

SHA256
54922fd885dc020a6c87485ab7f9ddc959e60aeedc28972d73621c5c1e60e6bf

SHA512
948c230e5f0b8a8730736c94b853aeef604eff9a667890863b24b4b8b0595a215c8a1a3a0c5655a73d69c8fba43becff936acd9ced5428e21fe0e0f224016a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
6282f5a5bf312690c855999260cafbce

SHA1
bb5e1d175c4fedc86eb994248c5f6127c64b131b

SHA256
54922fd885dc020a6c87485ab7f9ddc959e60aeedc28972d73621c5c1e60e6bf

SHA512
948c230e5f0b8a8730736c94b853aeef604eff9a667890863b24b4b8b0595a215c8a1a3a0c5655a73d69c8fba43becff936acd9ced5428e21fe0e0f224016a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
6282f5a5bf312690c855999260cafbce

SHA1
bb5e1d175c4fedc86eb994248c5f6127c64b131b

SHA256
54922fd885dc020a6c87485ab7f9ddc959e60aeedc28972d73621c5c1e60e6bf

SHA512
948c230e5f0b8a8730736c94b853aeef604eff9a667890863b24b4b8b0595a215c8a1a3a0c5655a73d69c8fba43becff936acd9ced5428e21fe0e0f224016a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
6282f5a5bf312690c855999260cafbce

SHA1
bb5e1d175c4fedc86eb994248c5f6127c64b131b

SHA256
54922fd885dc020a6c87485ab7f9ddc959e60aeedc28972d73621c5c1e60e6bf

SHA512
948c230e5f0b8a8730736c94b853aeef604eff9a667890863b24b4b8b0595a215c8a1a3a0c5655a73d69c8fba43becff936acd9ced5428e21fe0e0f224016a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
6282f5a5bf312690c855999260cafbce

SHA1
bb5e1d175c4fedc86eb994248c5f6127c64b131b

SHA256
54922fd885dc020a6c87485ab7f9ddc959e60aeedc28972d73621c5c1e60e6bf

SHA512
948c230e5f0b8a8730736c94b853aeef604eff9a667890863b24b4b8b0595a215c8a1a3a0c5655a73d69c8fba43becff936acd9ced5428e21fe0e0f224016a91

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/632-169-0x0000000000F60000-0x0000000000F6A000-memory.dmp

Filesize
40KB

Download
memory/3456-175-0x0000000000100000-0x0000000000130000-memory.dmp

Filesize
192KB

Download
memory/4256-161-0x0000000000390000-0x000000000039A000-memory.dmp

Filesize
40KB

Download
memory/4444-192-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4444-205-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/4444-206-0x0000000006C00000-0x00000000071A4000-memory.dmp

Filesize
5.6MB

Download
memory/4444-207-0x0000000005A20000-0x0000000005A86000-memory.dmp

Filesize
408KB

Download
memory/4444-208-0x00000000064B0000-0x0000000006500000-memory.dmp

Filesize
320KB

Download
memory/4444-209-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/4444-210-0x0000000006A20000-0x0000000006BE2000-memory.dmp

Filesize
1.8MB

Download
memory/4444-211-0x0000000008DD0000-0x00000000092FC000-memory.dmp

Filesize
5.2MB

Download
memory/4444-204-0x0000000005860000-0x00000000058D6000-memory.dmp

Filesize
472KB

Download
memory/4444-202-0x0000000005560000-0x000000000559C000-memory.dmp

Filesize
240KB

Download
memory/4444-201-0x0000000005510000-0x0000000005520000-memory.dmp

Filesize
64KB

Download
memory/4444-200-0x00000000054E0000-0x00000000054F2000-memory.dmp

Filesize
72KB

Download
memory/4444-199-0x0000000005630000-0x000000000573A000-memory.dmp

Filesize
1.0MB

Download
memory/4444-198-0x0000000005B40000-0x0000000006158000-memory.dmp

Filesize
6.1MB

Download