redline | 5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734

Analysis

max time kernel
99s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2023 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe
Size

770KB
MD5

607a968ddb4cd45a33c2a9b19fc42a4d
SHA1

3e3741dad6c0c70cd2b2066c27cf964bdc4dda52
SHA256

5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734
SHA512

3b7448813a08568cc48ca8890d302c72af2639f155738f59e8982dd54fb1ef2d5323e64e00c4f4daeb5c93a100222909fbea5d95437302b9d6bd3e99f290b92b
SSDEEP

12288:NMrny903mht1JP+nuGLdqbd9TnXOOWM3MwyclWH+HE3f0MkEluxQhg:GypnJpGpfVM82lWeQf5kaIP

Score

10^/10

redline duha sheron discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

duha

83.97.73.129:19068

Attributes

auth_value
aafe99874c3b8854069470882e00246c

Extracted

Family

redline

Botnet

sheron

83.97.73.129:19068

Attributes

auth_value
2d067e7e2372227d3a03b335260112e9

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

AppLaunch.exek3807940.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	k3807940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	k3807940.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	k3807940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	k3807940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	k3807940.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AppLaunch.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AppLaunch.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	k3807940.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

m4200447.exelamod.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	m4200447.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\Control Panel\International\Geo\Nation	lamod.exe

Executes dropped EXE 11 IoCs

Processes:

y4464508.exey0151157.exey3473188.exej2072802.exek3807940.exel2536147.exem4200447.exelamod.exen7920064.exelamod.exelamod.exe

pid	process
3124	y4464508.exe
4764	y0151157.exe
2376	y3473188.exe
1544	j2072802.exe
4836	k3807940.exe
4672	l2536147.exe
1312	m4200447.exe
960	lamod.exe
2508	n7920064.exe
4020	lamod.exe
4256	lamod.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3508 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

k3807940.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" k3807940.exe
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
3508	rundll32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	k3807940.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

y3473188.exe5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exey4464508.exey0151157.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y3473188.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	y3473188.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y4464508.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	y4464508.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	y0151157.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	y0151157.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

Processes:

j2072802.exen7920064.exe

description	pid	process	target process
PID 1544 set thread context of 4432	1544	j2072802.exe	AppLaunch.exe
PID 2508 set thread context of 4968	2508	n7920064.exe	AppLaunch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

3156 1544 WerFault.exe j2072802.exe
4168 2508 WerFault.exe n7920064.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2144 schtasks.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AppLaunch.exek3807940.exel2536147.exeAppLaunch.exe

pid process

4432 AppLaunch.exe
4432 AppLaunch.exe
4836 k3807940.exe
4836 k3807940.exe
4672 l2536147.exe
4672 l2536147.exe
4968 AppLaunch.exe
4968 AppLaunch.exe

pid	pid_target	process	target process
3156	1544	WerFault.exe	j2072802.exe
4168	2508	WerFault.exe	n7920064.exe

pid	process
2144	schtasks.exe

pid	process
4432	AppLaunch.exe
4432	AppLaunch.exe
4836	k3807940.exe
4836	k3807940.exe
4672	l2536147.exe
4672	l2536147.exe
4968	AppLaunch.exe
4968	AppLaunch.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AppLaunch.exek3807940.exel2536147.exeAppLaunch.exe

description	pid	process
Token: SeDebugPrivilege	4432	AppLaunch.exe
Token: SeDebugPrivilege	4836	k3807940.exe
Token: SeDebugPrivilege	4672	l2536147.exe
Token: SeDebugPrivilege	4968	AppLaunch.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

m4200447.exe

pid process

1312 m4200447.exe

pid	process
1312	m4200447.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exey4464508.exey0151157.exey3473188.exej2072802.exem4200447.exelamod.execmd.exen7920064.exe

description	pid	process	target process
PID 3688 wrote to memory of 3124	3688	5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe	y4464508.exe
PID 3688 wrote to memory of 3124	3688	5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe	y4464508.exe
PID 3688 wrote to memory of 3124	3688	5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe	y4464508.exe
PID 3124 wrote to memory of 4764	3124	y4464508.exe	y0151157.exe
PID 3124 wrote to memory of 4764	3124	y4464508.exe	y0151157.exe
PID 3124 wrote to memory of 4764	3124	y4464508.exe	y0151157.exe
PID 4764 wrote to memory of 2376	4764	y0151157.exe	y3473188.exe
PID 4764 wrote to memory of 2376	4764	y0151157.exe	y3473188.exe
PID 4764 wrote to memory of 2376	4764	y0151157.exe	y3473188.exe
PID 2376 wrote to memory of 1544	2376	y3473188.exe	j2072802.exe
PID 2376 wrote to memory of 1544	2376	y3473188.exe	j2072802.exe
PID 2376 wrote to memory of 1544	2376	y3473188.exe	j2072802.exe
PID 1544 wrote to memory of 4432	1544	j2072802.exe	AppLaunch.exe
PID 1544 wrote to memory of 4432	1544	j2072802.exe	AppLaunch.exe
PID 1544 wrote to memory of 4432	1544	j2072802.exe	AppLaunch.exe
PID 1544 wrote to memory of 4432	1544	j2072802.exe	AppLaunch.exe
PID 1544 wrote to memory of 4432	1544	j2072802.exe	AppLaunch.exe
PID 2376 wrote to memory of 4836	2376	y3473188.exe	k3807940.exe
PID 2376 wrote to memory of 4836	2376	y3473188.exe	k3807940.exe
PID 4764 wrote to memory of 4672	4764	y0151157.exe	l2536147.exe
PID 4764 wrote to memory of 4672	4764	y0151157.exe	l2536147.exe
PID 4764 wrote to memory of 4672	4764	y0151157.exe	l2536147.exe
PID 3124 wrote to memory of 1312	3124	y4464508.exe	m4200447.exe
PID 3124 wrote to memory of 1312	3124	y4464508.exe	m4200447.exe
PID 3124 wrote to memory of 1312	3124	y4464508.exe	m4200447.exe
PID 1312 wrote to memory of 960	1312	m4200447.exe	lamod.exe
PID 1312 wrote to memory of 960	1312	m4200447.exe	lamod.exe
PID 1312 wrote to memory of 960	1312	m4200447.exe	lamod.exe
PID 3688 wrote to memory of 2508	3688	5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe	n7920064.exe
PID 3688 wrote to memory of 2508	3688	5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe	n7920064.exe
PID 3688 wrote to memory of 2508	3688	5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe	n7920064.exe
PID 960 wrote to memory of 2144	960	lamod.exe	schtasks.exe
PID 960 wrote to memory of 2144	960	lamod.exe	schtasks.exe
PID 960 wrote to memory of 2144	960	lamod.exe	schtasks.exe
PID 960 wrote to memory of 2756	960	lamod.exe	cmd.exe
PID 960 wrote to memory of 2756	960	lamod.exe	cmd.exe
PID 960 wrote to memory of 2756	960	lamod.exe	cmd.exe
PID 2756 wrote to memory of 1792	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 1792	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 1792	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 4720	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4720	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4720	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4420	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4420	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4420	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 4676	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 4676	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 4676	2756	cmd.exe	cmd.exe
PID 2756 wrote to memory of 5020	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 5020	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 5020	2756	cmd.exe	cacls.exe
PID 2508 wrote to memory of 4968	2508	n7920064.exe	AppLaunch.exe
PID 2508 wrote to memory of 4968	2508	n7920064.exe	AppLaunch.exe
PID 2508 wrote to memory of 4968	2508	n7920064.exe	AppLaunch.exe
PID 2508 wrote to memory of 4968	2508	n7920064.exe	AppLaunch.exe
PID 2508 wrote to memory of 4968	2508	n7920064.exe	AppLaunch.exe
PID 2756 wrote to memory of 912	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 912	2756	cmd.exe	cacls.exe
PID 2756 wrote to memory of 912	2756	cmd.exe	cacls.exe
PID 960 wrote to memory of 3508	960	lamod.exe	rundll32.exe
PID 960 wrote to memory of 3508	960	lamod.exe	rundll32.exe
PID 960 wrote to memory of 3508	960	lamod.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe
"C:\Users\Admin\AppData\Local\Temp\5728516c9dd2efeeda4f9516334b3f945dc9fd4e05cdb12dcb0383db4b133734.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3688

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4464508.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4464508.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3124

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0151157.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0151157.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3473188.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3473188.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j2072802.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j2072802.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
6⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1544 -s 600
6⤵
- Program crash
PID:3156

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3807940.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3807940.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2536147.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2536147.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4200447.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4200447.exe
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1312

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
"C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN lamod.exe /TR "C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe" /F
5⤵
- Creates scheduled task(s)
PID:2144

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "lamod.exe" /P "Admin:N"&&CACLS "lamod.exe" /P "Admin:R" /E&&echo Y|CACLS "..\a9e2a16078" /P "Admin:N"&&CACLS "..\a9e2a16078" /P "Admin:R" /E&&Exit
5⤵
- Suspicious use of WriteProcessMemory
PID:2756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:1792

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:N"
6⤵
PID:4720

C:\Windows\SysWOW64\cacls.exe
CACLS "lamod.exe" /P "Admin:R" /E
6⤵
PID:4420

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:N"
6⤵
PID:5020

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
6⤵
PID:4676

C:\Windows\SysWOW64\cacls.exe
CACLS "..\a9e2a16078" /P "Admin:R" /E
6⤵
PID:912

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
5⤵
- Loads dropped DLL
PID:3508

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7920064.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7920064.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 148
3⤵
- Program crash
PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1544 -ip 1544
1⤵
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2508 -ip 2508
1⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4020

C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
1⤵
- Executes dropped EXE
PID:4256

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AppLaunch.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7920064.exe
Filesize
307KB

MD5
b2b4cd1895b5d9688cb07cb1b49a4f43

SHA1
ebf465dc71f99a635b26bda496e0a2e9d41e1e8f

SHA256
b00db453fba713da0540b0e346968878ec90cd25bca5b1c0d4b733ccb352749a

SHA512
9ead6602aef51a4ca4173370aad6509e845f8236accc031cee90877cafe4fe6840035192ba8eb1fff7ae94005f222fc8b0a1b5c5e27c55e3cce049d2d375a077

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\n7920064.exe
Filesize
307KB

MD5
b2b4cd1895b5d9688cb07cb1b49a4f43

SHA1
ebf465dc71f99a635b26bda496e0a2e9d41e1e8f

SHA256
b00db453fba713da0540b0e346968878ec90cd25bca5b1c0d4b733ccb352749a

SHA512
9ead6602aef51a4ca4173370aad6509e845f8236accc031cee90877cafe4fe6840035192ba8eb1fff7ae94005f222fc8b0a1b5c5e27c55e3cce049d2d375a077

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4464508.exe
Filesize
547KB

MD5
2a4228be2b3267076e2e619a992383b9

SHA1
a280576b431627473da6c19afae8cc112791f5cd

SHA256
1a1518da8c28d7e3628c06bb486e2cd0954750625c0c940a906ab69cf6e15d88

SHA512
37e27c0d61459f8a651690ff68d21a5992551c3b85ccbc17201afcf32908c9f4c03a0752e79747dbcf34de27f714e1315d7bae35cbc8211f587c99f91a0197d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y4464508.exe
Filesize
547KB

MD5
2a4228be2b3267076e2e619a992383b9

SHA1
a280576b431627473da6c19afae8cc112791f5cd

SHA256
1a1518da8c28d7e3628c06bb486e2cd0954750625c0c940a906ab69cf6e15d88

SHA512
37e27c0d61459f8a651690ff68d21a5992551c3b85ccbc17201afcf32908c9f4c03a0752e79747dbcf34de27f714e1315d7bae35cbc8211f587c99f91a0197d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4200447.exe
Filesize
208KB

MD5
3b42d7136b606d745c6ea339a9e68a83

SHA1
0d506e7872e8a1b4f0a1ccae454347be9143c6d4

SHA256
0a4e2a5204644a7151bb7f9405189af647dec263d535b039dcff56b008b4e008

SHA512
b5612cb7c1650d601d3c424bc502dc29169b62dc90b2f91d03853f87e903bdf500273413b397744d60dd616ebfd05118ebb571d1524defd8bd76d83a43d8d625

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\m4200447.exe
Filesize
208KB

MD5
3b42d7136b606d745c6ea339a9e68a83

SHA1
0d506e7872e8a1b4f0a1ccae454347be9143c6d4

SHA256
0a4e2a5204644a7151bb7f9405189af647dec263d535b039dcff56b008b4e008

SHA512
b5612cb7c1650d601d3c424bc502dc29169b62dc90b2f91d03853f87e903bdf500273413b397744d60dd616ebfd05118ebb571d1524defd8bd76d83a43d8d625

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0151157.exe
Filesize
375KB

MD5
daf88aafeaa2388c743f859b0a82eae2

SHA1
a1d7c60a837906639d0a41e474e2b898a2fb7952

SHA256
0f68c140ec850e6674b94dda2e699dc3ceaac9cd471b60fc749478496e150c88

SHA512
ee6b5da18f104b1afa1133e1cd1a673f5a33350aa741b98871830eeed150e012a4f8fa978ac00ee377520189ccf225892f9eefaf9e27cc25917feef967e8899d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y0151157.exe
Filesize
375KB

MD5
daf88aafeaa2388c743f859b0a82eae2

SHA1
a1d7c60a837906639d0a41e474e2b898a2fb7952

SHA256
0f68c140ec850e6674b94dda2e699dc3ceaac9cd471b60fc749478496e150c88

SHA512
ee6b5da18f104b1afa1133e1cd1a673f5a33350aa741b98871830eeed150e012a4f8fa978ac00ee377520189ccf225892f9eefaf9e27cc25917feef967e8899d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2536147.exe
Filesize
172KB

MD5
24044e7039a7f7ed357c47b96c53c055

SHA1
9fd801ca5304aeb4535e8f2e8c0e4bdfcb0573a4

SHA256
5d1b37eb42fd6e4cfb20802bbdc2be30a378870ca29bb02aeec7b5cb67cc3a68

SHA512
70b69ca945e367aeaa6406bfa04bc0a732ed24861ba245fbd5246f607d8ff26dc781dd463f59f858abd91d94444ec409599238d831e397b895693288a0993820

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\l2536147.exe
Filesize
172KB

MD5
24044e7039a7f7ed357c47b96c53c055

SHA1
9fd801ca5304aeb4535e8f2e8c0e4bdfcb0573a4

SHA256
5d1b37eb42fd6e4cfb20802bbdc2be30a378870ca29bb02aeec7b5cb67cc3a68

SHA512
70b69ca945e367aeaa6406bfa04bc0a732ed24861ba245fbd5246f607d8ff26dc781dd463f59f858abd91d94444ec409599238d831e397b895693288a0993820

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3473188.exe
Filesize
220KB

MD5
36eced36026ad7d3d092a0f133bc2ad6

SHA1
6c3a47ec80cade371e1f2c2c832673e532d11a8a

SHA256
880cbe7de76867177ff8b3c1d74be7b69eb233c83da6eeb51f750bfa324c74cc

SHA512
5b7db507f791a59a78a7fd4d6b3299c96331f2eb09d1d720b5a1de7c74f08d34486baf8403e502157a5318b9459104a8d4ed0f3d05e3de5f63b3454f40a698fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\y3473188.exe
Filesize
220KB

MD5
36eced36026ad7d3d092a0f133bc2ad6

SHA1
6c3a47ec80cade371e1f2c2c832673e532d11a8a

SHA256
880cbe7de76867177ff8b3c1d74be7b69eb233c83da6eeb51f750bfa324c74cc

SHA512
5b7db507f791a59a78a7fd4d6b3299c96331f2eb09d1d720b5a1de7c74f08d34486baf8403e502157a5318b9459104a8d4ed0f3d05e3de5f63b3454f40a698fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j2072802.exe
Filesize
147KB

MD5
6863b1b1879056b2b7d338b15f576aba

SHA1
87d6d9697dc6746f34e4d8bd17e9d623df66c1a1

SHA256
3dda2022c4df1733def009d97487384bb8dfb80be98ab766fa5dc0601bbc75f9

SHA512
f4ada7ee3d24d194755fc4767dc1916c5ed22023c009b15684805bbebc7cdea65d3662050560d3d367382fec59c3aad8c190aae695c48b078ff83efeb6a5df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\j2072802.exe
Filesize
147KB

MD5
6863b1b1879056b2b7d338b15f576aba

SHA1
87d6d9697dc6746f34e4d8bd17e9d623df66c1a1

SHA256
3dda2022c4df1733def009d97487384bb8dfb80be98ab766fa5dc0601bbc75f9

SHA512
f4ada7ee3d24d194755fc4767dc1916c5ed22023c009b15684805bbebc7cdea65d3662050560d3d367382fec59c3aad8c190aae695c48b078ff83efeb6a5df04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3807940.exe
Filesize
14KB

MD5
352e3701aa3338694bfa456d2fa8b427

SHA1
0568a20232db7707e03c92ba3919606595b57161

SHA256
0d375e4d0c9e6c591eb18cc10aeb2a8d68a15125ff4c3dc74eb8ca48bddb1635

SHA512
17cb4ae4c0a02a514349f83d2b2e5854fbf7bf92ce4a35f3c0114313bd61db72ab884fc1eb2612ab3c87ec1db5ea8e86a6a84202d837ef8db9ed23906c4b800d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\k3807940.exe
Filesize
14KB

MD5
352e3701aa3338694bfa456d2fa8b427

SHA1
0568a20232db7707e03c92ba3919606595b57161

SHA256
0d375e4d0c9e6c591eb18cc10aeb2a8d68a15125ff4c3dc74eb8ca48bddb1635

SHA512
17cb4ae4c0a02a514349f83d2b2e5854fbf7bf92ce4a35f3c0114313bd61db72ab884fc1eb2612ab3c87ec1db5ea8e86a6a84202d837ef8db9ed23906c4b800d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
3b42d7136b606d745c6ea339a9e68a83

SHA1
0d506e7872e8a1b4f0a1ccae454347be9143c6d4

SHA256
0a4e2a5204644a7151bb7f9405189af647dec263d535b039dcff56b008b4e008

SHA512
b5612cb7c1650d601d3c424bc502dc29169b62dc90b2f91d03853f87e903bdf500273413b397744d60dd616ebfd05118ebb571d1524defd8bd76d83a43d8d625

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
3b42d7136b606d745c6ea339a9e68a83

SHA1
0d506e7872e8a1b4f0a1ccae454347be9143c6d4

SHA256
0a4e2a5204644a7151bb7f9405189af647dec263d535b039dcff56b008b4e008

SHA512
b5612cb7c1650d601d3c424bc502dc29169b62dc90b2f91d03853f87e903bdf500273413b397744d60dd616ebfd05118ebb571d1524defd8bd76d83a43d8d625

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
3b42d7136b606d745c6ea339a9e68a83

SHA1
0d506e7872e8a1b4f0a1ccae454347be9143c6d4

SHA256
0a4e2a5204644a7151bb7f9405189af647dec263d535b039dcff56b008b4e008

SHA512
b5612cb7c1650d601d3c424bc502dc29169b62dc90b2f91d03853f87e903bdf500273413b397744d60dd616ebfd05118ebb571d1524defd8bd76d83a43d8d625

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
3b42d7136b606d745c6ea339a9e68a83

SHA1
0d506e7872e8a1b4f0a1ccae454347be9143c6d4

SHA256
0a4e2a5204644a7151bb7f9405189af647dec263d535b039dcff56b008b4e008

SHA512
b5612cb7c1650d601d3c424bc502dc29169b62dc90b2f91d03853f87e903bdf500273413b397744d60dd616ebfd05118ebb571d1524defd8bd76d83a43d8d625

Download Submit
C:\Users\Admin\AppData\Local\Temp\a9e2a16078\lamod.exe
Filesize
208KB

MD5
3b42d7136b606d745c6ea339a9e68a83

SHA1
0d506e7872e8a1b4f0a1ccae454347be9143c6d4

SHA256
0a4e2a5204644a7151bb7f9405189af647dec263d535b039dcff56b008b4e008

SHA512
b5612cb7c1650d601d3c424bc502dc29169b62dc90b2f91d03853f87e903bdf500273413b397744d60dd616ebfd05118ebb571d1524defd8bd76d83a43d8d625

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
Filesize
89KB

MD5
a5ed103ec4719a27ab3d3c01dac66f01

SHA1
c830d6980d7edea60568a518eccd36c0bc2a4924

SHA256
dbcdc009781edffc3c4e5234d3d23d26364d6bff47e2e384cffdef148d7b5b36

SHA512
b7fbe709a44f0e84a94c9e82f790d04e3d86b5409b5eb2d9f1d4d775b9669694c189042f04001acadb6da4c6284f4fbcbe39fd97427d41619191928510db9d80

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
Filesize
162B

MD5
1b7c22a214949975556626d7217e9a39

SHA1
d01c97e2944166ed23e47e4a62ff471ab8fa031f

SHA256
340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87

SHA512
ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

Download Submit
memory/4432-161-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4672-183-0x000000000B700000-0x000000000BCA4000-memory.dmp

Filesize
5.6MB

Download
memory/4672-180-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4672-187-0x000000000C580000-0x000000000CAAC000-memory.dmp

Filesize
5.2MB

Download
memory/4672-186-0x000000000BE80000-0x000000000C042000-memory.dmp

Filesize
1.8MB

Download
memory/4672-185-0x000000000B630000-0x000000000B680000-memory.dmp

Filesize
320KB

Download
memory/4672-184-0x000000000B150000-0x000000000B1B6000-memory.dmp

Filesize
408KB

Download
memory/4672-182-0x000000000B0B0000-0x000000000B142000-memory.dmp

Filesize
584KB

Download
memory/4672-181-0x000000000A910000-0x000000000A986000-memory.dmp

Filesize
472KB

Download
memory/4672-175-0x0000000000720000-0x0000000000750000-memory.dmp

Filesize
192KB

Download
memory/4672-188-0x0000000004F00000-0x0000000004F10000-memory.dmp

Filesize
64KB

Download
memory/4672-176-0x000000000A9F0000-0x000000000B008000-memory.dmp

Filesize
6.1MB

Download
memory/4672-179-0x000000000A500000-0x000000000A53C000-memory.dmp

Filesize
240KB

Download
memory/4672-178-0x000000000A4A0000-0x000000000A4B2000-memory.dmp

Filesize
72KB

Download
memory/4672-177-0x000000000A560000-0x000000000A66A000-memory.dmp

Filesize
1.0MB

Download
memory/4836-169-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/4968-212-0x00000000050B0000-0x00000000050C0000-memory.dmp

Filesize
64KB

Download
memory/4968-206-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download