redline | bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d

Analysis

max time kernel
108s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe
Size

770KB
MD5

35d6eaae41ec399e97d750a8bb622adf
SHA1

832f83c8c7a1d20791fded592d406087e184533c
SHA256

bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d
SHA512

556527b9801cbf215b77ee15d0be64e61eeeedc7c61bab536e889ca118172004a17a40f6fa3b43f284bdb72f300fb406a2a233491636b5c482b607b1fdfe39e6
SSDEEP

12288:nMr9y90H7OoTe/GqVy9IKgLhCs6GWofcKM9SrTnpTPkX6nMtxc/afFJEG6+tHjm3:yyZo6+oR9rTnpTsXftxcy/M3AJAl3

Score

10^/10

redline muha sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

muha

83.97.73.129:19068

Attributes

auth_value
3c237e5fecb41481b7af249e79828a46

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exea7766541.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	a7766541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	a7766541.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	a7766541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	a7766541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	a7766541.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	a7766541.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d4065655.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	d4065655.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

v9575432.exev6920168.exev1779724.exea7766541.exeb2184139.exec2576764.exed4065655.exelamod.exee2596063.exelamod.exelamod.exe

pid	process
1604	v9575432.exe
4784	v6920168.exe
5052	v1779724.exe
3040	a7766541.exe
2056	b2184139.exe
3780	c2576764.exe
520	d4065655.exe
2444	lamod.exe
3876	e2596063.exe
1200	lamod.exe
1784	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2576 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

a7766541.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" a7766541.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2576	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	a7766541.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

v1779724.exebb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exev9575432.exev6920168.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v1779724.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	v1779724.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v9575432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	v9575432.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	v6920168.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	v6920168.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

b2184139.exee2596063.exe

description	pid	process	target process
PID 2056 set thread context of 3768	2056	b2184139.exe	AppLaunch.exe
PID 3876 set thread context of 2488	3876	e2596063.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3932 2056 WerFault.exe b2184139.exe
3884 3876 WerFault.exe e2596063.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5108 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

a7766541.exeAppLaunch.exec2576764.exeAppLaunch.exe

pid process

3040 a7766541.exe
3040 a7766541.exe
3768 AppLaunch.exe
3768 AppLaunch.exe
3780 c2576764.exe
3780 c2576764.exe
2488 AppLaunch.exe
2488 AppLaunch.exe

pid	pid_target	process	target process
3932	2056	WerFault.exe	b2184139.exe
3884	3876	WerFault.exe	e2596063.exe

pid	process
5108	schtasks.exe

pid	process
3040	a7766541.exe
3040	a7766541.exe
3768	AppLaunch.exe
3768	AppLaunch.exe
3780	c2576764.exe
3780	c2576764.exe
2488	AppLaunch.exe
2488	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

a7766541.exeAppLaunch.exec2576764.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	3040	a7766541.exe
Token: SeDebugPrivilege	3768	AppLaunch.exe
Token: SeDebugPrivilege	3780	c2576764.exe
Token: SeDebugPrivilege	2488	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

d4065655.exe

pid process

520 d4065655.exe

pid	process
520	d4065655.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exev9575432.exev6920168.exev1779724.exeb2184139.exed4065655.exelamod.execmd.exee2596063.exe

description	pid	process	target process
PID 1564 wrote to memory of 1604	1564	bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe	v9575432.exe
PID 1564 wrote to memory of 1604	1564	bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe	v9575432.exe
PID 1564 wrote to memory of 1604	1564	bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe	v9575432.exe
PID 1604 wrote to memory of 4784	1604	v9575432.exe	v6920168.exe
PID 1604 wrote to memory of 4784	1604	v9575432.exe	v6920168.exe
PID 1604 wrote to memory of 4784	1604	v9575432.exe	v6920168.exe
PID 4784 wrote to memory of 5052	4784	v6920168.exe	v1779724.exe
PID 4784 wrote to memory of 5052	4784	v6920168.exe	v1779724.exe
PID 4784 wrote to memory of 5052	4784	v6920168.exe	v1779724.exe
PID 5052 wrote to memory of 3040	5052	v1779724.exe	a7766541.exe
PID 5052 wrote to memory of 3040	5052	v1779724.exe	a7766541.exe
PID 5052 wrote to memory of 2056	5052	v1779724.exe	b2184139.exe
PID 5052 wrote to memory of 2056	5052	v1779724.exe	b2184139.exe
PID 5052 wrote to memory of 2056	5052	v1779724.exe	b2184139.exe
PID 2056 wrote to memory of 3768	2056	b2184139.exe	AppLaunch.exe
PID 2056 wrote to memory of 3768	2056	b2184139.exe	AppLaunch.exe
PID 2056 wrote to memory of 3768	2056	b2184139.exe	AppLaunch.exe
PID 2056 wrote to memory of 3768	2056	b2184139.exe	AppLaunch.exe
PID 2056 wrote to memory of 3768	2056	b2184139.exe	AppLaunch.exe
PID 4784 wrote to memory of 3780	4784	v6920168.exe	c2576764.exe
PID 4784 wrote to memory of 3780	4784	v6920168.exe	c2576764.exe
PID 4784 wrote to memory of 3780	4784	v6920168.exe	c2576764.exe
PID 1604 wrote to memory of 520	1604	v9575432.exe	d4065655.exe
PID 1604 wrote to memory of 520	1604	v9575432.exe	d4065655.exe
PID 1604 wrote to memory of 520	1604	v9575432.exe	d4065655.exe
PID 520 wrote to memory of 2444	520	d4065655.exe	lamod.exe
PID 520 wrote to memory of 2444	520	d4065655.exe	lamod.exe
PID 520 wrote to memory of 2444	520	d4065655.exe	lamod.exe
PID 1564 wrote to memory of 3876	1564	bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe	e2596063.exe
PID 1564 wrote to memory of 3876	1564	bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe	e2596063.exe
PID 1564 wrote to memory of 3876	1564	bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe	e2596063.exe
PID 2444 wrote to memory of 5108	2444	lamod.exe	schtasks.exe
PID 2444 wrote to memory of 5108	2444	lamod.exe	schtasks.exe
PID 2444 wrote to memory of 5108	2444	lamod.exe	schtasks.exe
PID 2444 wrote to memory of 4572	2444	lamod.exe	cmd.exe
PID 2444 wrote to memory of 4572	2444	lamod.exe	cmd.exe
PID 2444 wrote to memory of 4572	2444	lamod.exe	cmd.exe
PID 4572 wrote to memory of 1892	4572	cmd.exe	cmd.exe
PID 4572 wrote to memory of 1892	4572	cmd.exe	cmd.exe
PID 4572 wrote to memory of 1892	4572	cmd.exe	cmd.exe
PID 4572 wrote to memory of 2440	4572	cmd.exe	cacls.exe
PID 4572 wrote to memory of 2440	4572	cmd.exe	cacls.exe
PID 4572 wrote to memory of 2440	4572	cmd.exe	cacls.exe
PID 3876 wrote to memory of 2488	3876	e2596063.exe	AppLaunch.exe
PID 3876 wrote to memory of 2488	3876	e2596063.exe	AppLaunch.exe
PID 3876 wrote to memory of 2488	3876	e2596063.exe	AppLaunch.exe
PID 3876 wrote to memory of 2488	3876	e2596063.exe	AppLaunch.exe
PID 4572 wrote to memory of 4600	4572	cmd.exe	cacls.exe
PID 4572 wrote to memory of 4600	4572	cmd.exe	cacls.exe
PID 4572 wrote to memory of 4600	4572	cmd.exe	cacls.exe
PID 3876 wrote to memory of 2488	3876	e2596063.exe	AppLaunch.exe
PID 4572 wrote to memory of 852	4572	cmd.exe	cmd.exe
PID 4572 wrote to memory of 852	4572	cmd.exe	cmd.exe
PID 4572 wrote to memory of 852	4572	cmd.exe	cmd.exe
PID 4572 wrote to memory of 5012	4572	cmd.exe	cacls.exe
PID 4572 wrote to memory of 5012	4572	cmd.exe	cacls.exe
PID 4572 wrote to memory of 5012	4572	cmd.exe	cacls.exe
PID 4572 wrote to memory of 1992	4572	cmd.exe	cacls.exe
PID 4572 wrote to memory of 1992	4572	cmd.exe	cacls.exe
PID 4572 wrote to memory of 1992	4572	cmd.exe	cacls.exe
PID 2444 wrote to memory of 2576	2444	lamod.exe	rundll32.exe
PID 2444 wrote to memory of 2576	2444	lamod.exe	rundll32.exe
PID 2444 wrote to memory of 2576	2444	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe
"C:\Users\Admin\AppData\Local\Temp\bb2f4ae1293ad81a462f015de07f4a5cf01b6fa183be3fd89d5868cc6c29374d.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9575432.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9575432.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1604

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6920168.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6920168.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4784

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1779724.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1779724.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5052

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7766541.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7766541.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2184139.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2184139.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 156
6⤵
- Program crash
PID:3932

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2576764.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2576764.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3780

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4065655.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4065655.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:5108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1892

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:2440

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:4600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:852

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:5012

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:1992

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:2576

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e2596063.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e2596063.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3876 -s 216
3⤵
- Program crash
PID:3884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2056 -ip 2056
1⤵
PID:1096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3876 -ip 3876
1⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:1200

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:1784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e2596063.exe
Filesize
307KB

MD5
07c47d10fd09c3bd8afaaf1d691caa2f

SHA1
319bc280fa9340503ceba083ae25e11c3dae556b

SHA256
f163764558ee641849d9c754851fef4d0772a6a700c9b6cc08fe1ef37a886cf5

SHA512
ce3e9027ca13d392a3c76244269a85448f7c293dec6fb3c41de72a40c6eed0422b667ab8ae791296ac678530d6dbcc4e420cba871db92297f243aaef9172a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e2596063.exe
Filesize
307KB

MD5
07c47d10fd09c3bd8afaaf1d691caa2f

SHA1
319bc280fa9340503ceba083ae25e11c3dae556b

SHA256
f163764558ee641849d9c754851fef4d0772a6a700c9b6cc08fe1ef37a886cf5

SHA512
ce3e9027ca13d392a3c76244269a85448f7c293dec6fb3c41de72a40c6eed0422b667ab8ae791296ac678530d6dbcc4e420cba871db92297f243aaef9172a707

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9575432.exe
Filesize
547KB

MD5
942e9c4ae0a9ca650b326a001474b799

SHA1
eac6373b7eb09b1f7fe6b210bdbb0760aee9b1ed

SHA256
0c5e9fe4aa5c430d7c6e38c274a2ee26a80ac82c501e5e608959c30452d94a84

SHA512
dbffd9ec5653b4e49e264fe269d7627b42c2b8d8693de3a84468d6f0703c7f2ed6c0a464c506025c9f8299a646794b6e2359cb80f4aec075e243d882ae1976ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\v9575432.exe
Filesize
547KB

MD5
942e9c4ae0a9ca650b326a001474b799

SHA1
eac6373b7eb09b1f7fe6b210bdbb0760aee9b1ed

SHA256
0c5e9fe4aa5c430d7c6e38c274a2ee26a80ac82c501e5e608959c30452d94a84

SHA512
dbffd9ec5653b4e49e264fe269d7627b42c2b8d8693de3a84468d6f0703c7f2ed6c0a464c506025c9f8299a646794b6e2359cb80f4aec075e243d882ae1976ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4065655.exe
Filesize
208KB

MD5
97e6023227d1a3784ca6684b6d2f1d74

SHA1
388110ae3e3171e25bdf09699ac3e3b76cb19279

SHA256
30bef9dd7de79ce80a033db69ff64126e9fc9acc82bc1456dfa89d0eaaecfe17

SHA512
05ea0ddaac071e4c52e659495fdf47fc10a3a99b3aa2e362f17492beb0455d3a2f0755e7027aaec197c93131c3b7f8eef8dd9d4d1b1db921ae9e7f6580ef4be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\d4065655.exe
Filesize
208KB

MD5
97e6023227d1a3784ca6684b6d2f1d74

SHA1
388110ae3e3171e25bdf09699ac3e3b76cb19279

SHA256
30bef9dd7de79ce80a033db69ff64126e9fc9acc82bc1456dfa89d0eaaecfe17

SHA512
05ea0ddaac071e4c52e659495fdf47fc10a3a99b3aa2e362f17492beb0455d3a2f0755e7027aaec197c93131c3b7f8eef8dd9d4d1b1db921ae9e7f6580ef4be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6920168.exe
Filesize
375KB

MD5
3ba2701a037af6e65377f9a777bf19a3

SHA1
f537b02a99425dee07d5f23b55d9d17fe742e5e6

SHA256
77accdf68554e7a410990252b3df4e7a116a867752817674361b16e693afb141

SHA512
8beb69ad820de4b82cad2b9cda046f104c4f003dbab427161f2da93ff848f5fbbfb7e8e6e02b954af7f941e2bbdb8f159415ccf33cdeb172b91cad864d984d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\v6920168.exe
Filesize
375KB

MD5
3ba2701a037af6e65377f9a777bf19a3

SHA1
f537b02a99425dee07d5f23b55d9d17fe742e5e6

SHA256
77accdf68554e7a410990252b3df4e7a116a867752817674361b16e693afb141

SHA512
8beb69ad820de4b82cad2b9cda046f104c4f003dbab427161f2da93ff848f5fbbfb7e8e6e02b954af7f941e2bbdb8f159415ccf33cdeb172b91cad864d984d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2576764.exe
Filesize
172KB

MD5
bc85708e7e6bb9dd6788b71813dc112e

SHA1
707a7fecb499e32e6300f123c712d4ee6dbd11a2

SHA256
7c860cfa0474a3768838367519edc43138d40257daa8fc835bde25fa84301aa9

SHA512
246bbb9bc13972f8ad0b716abe89a9223ee4a0174cb9b22e09de8d0aa4d8b901ca4a1307e4063170511f9f09569f1e957ccaeecf577882cca690f8f707f63726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\c2576764.exe
Filesize
172KB

MD5
bc85708e7e6bb9dd6788b71813dc112e

SHA1
707a7fecb499e32e6300f123c712d4ee6dbd11a2

SHA256
7c860cfa0474a3768838367519edc43138d40257daa8fc835bde25fa84301aa9

SHA512
246bbb9bc13972f8ad0b716abe89a9223ee4a0174cb9b22e09de8d0aa4d8b901ca4a1307e4063170511f9f09569f1e957ccaeecf577882cca690f8f707f63726

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1779724.exe
Filesize
220KB

MD5
6511ed717eae1e5e6db5226d7d6fc162

SHA1
7bff8483d3a7174b14c64f5036796c7cda13d0d3

SHA256
ef4a53d0eb3163d2e165e3bbf8e8e4ecd175cf04705b8842b4d1653aadbbcdec

SHA512
06949733dfbbe92769f1a58684ae5306d325ec267d65d3ac8be6f1a7bfec148961dac7e695288f491303af65296fa702b4ca291e7c0280ade2df196e6fdf3310

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\v1779724.exe
Filesize
220KB

MD5
6511ed717eae1e5e6db5226d7d6fc162

SHA1
7bff8483d3a7174b14c64f5036796c7cda13d0d3

SHA256
ef4a53d0eb3163d2e165e3bbf8e8e4ecd175cf04705b8842b4d1653aadbbcdec

SHA512
06949733dfbbe92769f1a58684ae5306d325ec267d65d3ac8be6f1a7bfec148961dac7e695288f491303af65296fa702b4ca291e7c0280ade2df196e6fdf3310

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7766541.exe
Filesize
14KB

MD5
8c896a56338b2f0cad41fb6eda0ef7a3

SHA1
efb4d07120bbc1b2ed6f291f71f16312fa622090

SHA256
f9e754416b292018ea8c5cab32c2edb8e49f197818321ea7c45ec6ab59a696be

SHA512
d7fec4b81b9cff321d53965d472ccb48d44ce7769a25ffc28e530892dfe4f68dad654a284f174054ab60b63f2f6b5d37a2aba9c1d4ca9468c9b159fcf9dab21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\a7766541.exe
Filesize
14KB

MD5
8c896a56338b2f0cad41fb6eda0ef7a3

SHA1
efb4d07120bbc1b2ed6f291f71f16312fa622090

SHA256
f9e754416b292018ea8c5cab32c2edb8e49f197818321ea7c45ec6ab59a696be

SHA512
d7fec4b81b9cff321d53965d472ccb48d44ce7769a25ffc28e530892dfe4f68dad654a284f174054ab60b63f2f6b5d37a2aba9c1d4ca9468c9b159fcf9dab21b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2184139.exe
Filesize
147KB

MD5
cab7301ac2407fa21c62ddf0e2252d62

SHA1
5a161f01e1a04502e1f73490c94ee05972fef4d0

SHA256
cac0fc701df46150f1f905e02c106622683daf11f3d849fff78d92b0046f165a

SHA512
e0784d62869e2fefd1f9e64a16c2003d034bcf2754801dcb378bc4af666f23d27ce92f7f149a2758390fb467e2dca3e854734a42dcae87723c7bd8aa2717031f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\b2184139.exe
Filesize
147KB

MD5
cab7301ac2407fa21c62ddf0e2252d62

SHA1
5a161f01e1a04502e1f73490c94ee05972fef4d0

SHA256
cac0fc701df46150f1f905e02c106622683daf11f3d849fff78d92b0046f165a

SHA512
e0784d62869e2fefd1f9e64a16c2003d034bcf2754801dcb378bc4af666f23d27ce92f7f149a2758390fb467e2dca3e854734a42dcae87723c7bd8aa2717031f

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
97e6023227d1a3784ca6684b6d2f1d74

SHA1
388110ae3e3171e25bdf09699ac3e3b76cb19279

SHA256
30bef9dd7de79ce80a033db69ff64126e9fc9acc82bc1456dfa89d0eaaecfe17

SHA512
05ea0ddaac071e4c52e659495fdf47fc10a3a99b3aa2e362f17492beb0455d3a2f0755e7027aaec197c93131c3b7f8eef8dd9d4d1b1db921ae9e7f6580ef4be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
97e6023227d1a3784ca6684b6d2f1d74

SHA1
388110ae3e3171e25bdf09699ac3e3b76cb19279

SHA256
30bef9dd7de79ce80a033db69ff64126e9fc9acc82bc1456dfa89d0eaaecfe17

SHA512
05ea0ddaac071e4c52e659495fdf47fc10a3a99b3aa2e362f17492beb0455d3a2f0755e7027aaec197c93131c3b7f8eef8dd9d4d1b1db921ae9e7f6580ef4be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
97e6023227d1a3784ca6684b6d2f1d74

SHA1
388110ae3e3171e25bdf09699ac3e3b76cb19279

SHA256
30bef9dd7de79ce80a033db69ff64126e9fc9acc82bc1456dfa89d0eaaecfe17

SHA512
05ea0ddaac071e4c52e659495fdf47fc10a3a99b3aa2e362f17492beb0455d3a2f0755e7027aaec197c93131c3b7f8eef8dd9d4d1b1db921ae9e7f6580ef4be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
97e6023227d1a3784ca6684b6d2f1d74

SHA1
388110ae3e3171e25bdf09699ac3e3b76cb19279

SHA256
30bef9dd7de79ce80a033db69ff64126e9fc9acc82bc1456dfa89d0eaaecfe17

SHA512
05ea0ddaac071e4c52e659495fdf47fc10a3a99b3aa2e362f17492beb0455d3a2f0755e7027aaec197c93131c3b7f8eef8dd9d4d1b1db921ae9e7f6580ef4be8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
97e6023227d1a3784ca6684b6d2f1d74

SHA1
388110ae3e3171e25bdf09699ac3e3b76cb19279

SHA256
30bef9dd7de79ce80a033db69ff64126e9fc9acc82bc1456dfa89d0eaaecfe17

SHA512
05ea0ddaac071e4c52e659495fdf47fc10a3a99b3aa2e362f17492beb0455d3a2f0755e7027aaec197c93131c3b7f8eef8dd9d4d1b1db921ae9e7f6580ef4be8

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/2488-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2488-212-0x0000000005280000-0x0000000005290000-memory.dmp

Filesize
64KB

Download
memory/3040-161-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/3768-166-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3780-188-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3780-187-0x000000000C460000-0x000000000C98C000-memory.dmp

Filesize
5.2MB

Download
memory/3780-186-0x000000000BD60000-0x000000000BF22000-memory.dmp

Filesize
1.8MB

Download
memory/3780-185-0x000000000B3F0000-0x000000000B440000-memory.dmp

Filesize
320KB

Download
memory/3780-184-0x000000000A890000-0x000000000A8F6000-memory.dmp

Filesize
408KB

Download
memory/3780-182-0x000000000B4E0000-0x000000000BA84000-memory.dmp

Filesize
5.6MB

Download
memory/3780-181-0x000000000A7F0000-0x000000000A882000-memory.dmp

Filesize
584KB

Download
memory/3780-180-0x000000000A6D0000-0x000000000A746000-memory.dmp

Filesize
472KB

Download
memory/3780-179-0x000000000A3C0000-0x000000000A3FC000-memory.dmp

Filesize
240KB

Download
memory/3780-178-0x0000000004E60000-0x0000000004E70000-memory.dmp

Filesize
64KB

Download
memory/3780-177-0x000000000A360000-0x000000000A372000-memory.dmp

Filesize
72KB

Download
memory/3780-176-0x000000000A440000-0x000000000A54A000-memory.dmp

Filesize
1.0MB

Download
memory/3780-175-0x000000000A910000-0x000000000AF28000-memory.dmp

Filesize
6.1MB

Download
memory/3780-174-0x00000000004A0000-0x00000000004D0000-memory.dmp

Filesize
192KB

Download