Malware Analysis Report

2025-03-15 01:39

Sample ID 230910-qw1x5ahd7y
Target 458aeb444a66350118741f27c1f40bf4
SHA256 752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983
Tags
redline virad infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

752823538da4481a5c018b006e45632bac790df88df756c6a54291981d953983

Threat Level: Known bad

The file 458aeb444a66350118741f27c1f40bf4 was found to be: Known bad.

Malicious Activity Summary

redline virad infostealer persistence

RedLine

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Uses Task Scheduler COM API

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-09-10 13:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-09-10 13:37

Reported

2023-09-10 13:40

Platform

win7-20230831-en

Max time kernel

134s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2392 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe
PID 2392 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe
PID 2392 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe
PID 2392 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe
PID 2392 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe
PID 2392 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe
PID 2392 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe
PID 1312 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe
PID 1312 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe
PID 1312 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe
PID 1312 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe
PID 1312 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe
PID 1312 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe
PID 1312 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe
PID 3024 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe
PID 3024 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe
PID 3024 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe
PID 3024 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe
PID 3024 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe
PID 3024 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe
PID 3024 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe
PID 3024 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe
PID 3024 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe
PID 3024 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe
PID 3024 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe
PID 3024 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe
PID 3024 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe
PID 3024 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

Processes

C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe

"C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

Network

Country Destination Domain Proto
RU 5.42.92.211:80 5.42.92.211 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe

MD5 98825ce1571804b7d16789eeb6b66ecd
SHA1 b8336b775ec312f7147db06a78996a74d962cfca
SHA256 fd666a68050a49b695358a02c921df69e353d5a99a27d896802c9e31c5a2b9eb
SHA512 86d4c1432e9b3731bd2eb9ed29e6076a0b15ef5e78f25f480aeede375ed817666e07f06ea6acf79ad45eb56610b2740aa53803823a7752f90125a8826b221a86

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe

MD5 98825ce1571804b7d16789eeb6b66ecd
SHA1 b8336b775ec312f7147db06a78996a74d962cfca
SHA256 fd666a68050a49b695358a02c921df69e353d5a99a27d896802c9e31c5a2b9eb
SHA512 86d4c1432e9b3731bd2eb9ed29e6076a0b15ef5e78f25f480aeede375ed817666e07f06ea6acf79ad45eb56610b2740aa53803823a7752f90125a8826b221a86

\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe

MD5 98825ce1571804b7d16789eeb6b66ecd
SHA1 b8336b775ec312f7147db06a78996a74d962cfca
SHA256 fd666a68050a49b695358a02c921df69e353d5a99a27d896802c9e31c5a2b9eb
SHA512 86d4c1432e9b3731bd2eb9ed29e6076a0b15ef5e78f25f480aeede375ed817666e07f06ea6acf79ad45eb56610b2740aa53803823a7752f90125a8826b221a86

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe

MD5 98825ce1571804b7d16789eeb6b66ecd
SHA1 b8336b775ec312f7147db06a78996a74d962cfca
SHA256 fd666a68050a49b695358a02c921df69e353d5a99a27d896802c9e31c5a2b9eb
SHA512 86d4c1432e9b3731bd2eb9ed29e6076a0b15ef5e78f25f480aeede375ed817666e07f06ea6acf79ad45eb56610b2740aa53803823a7752f90125a8826b221a86

\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe

MD5 f803632a1b21849275a12c06be27b37f
SHA1 91d7237b06123a2f0131fd2ef93779d61cdaa639
SHA256 10dbf875740319e882923a3fdd98179c7fe21addd63f9b9a82db94c64138960d
SHA512 8cbbf05a3af70358a32d44ab4f2d7d6b41d2209cefa89f0aa2e509b02c8d8ef458850ab64e0b5d65f546cf2e0471958fc7507311c116e72397fe0a06030f39b4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe

MD5 f803632a1b21849275a12c06be27b37f
SHA1 91d7237b06123a2f0131fd2ef93779d61cdaa639
SHA256 10dbf875740319e882923a3fdd98179c7fe21addd63f9b9a82db94c64138960d
SHA512 8cbbf05a3af70358a32d44ab4f2d7d6b41d2209cefa89f0aa2e509b02c8d8ef458850ab64e0b5d65f546cf2e0471958fc7507311c116e72397fe0a06030f39b4

\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe

MD5 f803632a1b21849275a12c06be27b37f
SHA1 91d7237b06123a2f0131fd2ef93779d61cdaa639
SHA256 10dbf875740319e882923a3fdd98179c7fe21addd63f9b9a82db94c64138960d
SHA512 8cbbf05a3af70358a32d44ab4f2d7d6b41d2209cefa89f0aa2e509b02c8d8ef458850ab64e0b5d65f546cf2e0471958fc7507311c116e72397fe0a06030f39b4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe

MD5 f803632a1b21849275a12c06be27b37f
SHA1 91d7237b06123a2f0131fd2ef93779d61cdaa639
SHA256 10dbf875740319e882923a3fdd98179c7fe21addd63f9b9a82db94c64138960d
SHA512 8cbbf05a3af70358a32d44ab4f2d7d6b41d2209cefa89f0aa2e509b02c8d8ef458850ab64e0b5d65f546cf2e0471958fc7507311c116e72397fe0a06030f39b4

\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe

MD5 a2d464901e560f757cb597a86607a656
SHA1 a6e8c4f954143aaee522d692bfdbe8bf0258a35e
SHA256 dcca55a5c13bbe96d2e6edee9ad7279f7f0fa0c62db387b2a65a61242f462239
SHA512 0ce1261c532d3f7bf784b0a55184af79408ea124eb5137f0119e0a30e0b1b4b008722408ece8e40ec199b76e565ece523966304bf7c762489620b8588222ffeb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe

MD5 a2d464901e560f757cb597a86607a656
SHA1 a6e8c4f954143aaee522d692bfdbe8bf0258a35e
SHA256 dcca55a5c13bbe96d2e6edee9ad7279f7f0fa0c62db387b2a65a61242f462239
SHA512 0ce1261c532d3f7bf784b0a55184af79408ea124eb5137f0119e0a30e0b1b4b008722408ece8e40ec199b76e565ece523966304bf7c762489620b8588222ffeb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe

MD5 a2d464901e560f757cb597a86607a656
SHA1 a6e8c4f954143aaee522d692bfdbe8bf0258a35e
SHA256 dcca55a5c13bbe96d2e6edee9ad7279f7f0fa0c62db387b2a65a61242f462239
SHA512 0ce1261c532d3f7bf784b0a55184af79408ea124eb5137f0119e0a30e0b1b4b008722408ece8e40ec199b76e565ece523966304bf7c762489620b8588222ffeb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe

MD5 a2d464901e560f757cb597a86607a656
SHA1 a6e8c4f954143aaee522d692bfdbe8bf0258a35e
SHA256 dcca55a5c13bbe96d2e6edee9ad7279f7f0fa0c62db387b2a65a61242f462239
SHA512 0ce1261c532d3f7bf784b0a55184af79408ea124eb5137f0119e0a30e0b1b4b008722408ece8e40ec199b76e565ece523966304bf7c762489620b8588222ffeb

\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

MD5 2514aea1eb1e7017ad6e38ae7996b786
SHA1 182d6a3c3cae0e5954b0c23e39577846fdd0983b
SHA256 5fb7ac419931189b181a54705418ac2329ba195e4b2f20ef1085650cfe858064
SHA512 90c62064c4a990bf5682abaf30017e007a39b12da814de10e5bad66103d176df5fcf93a53fefe68140a37576e92ff876d4c7fb2887c8735e3d12f6d1c19cde42

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

MD5 2514aea1eb1e7017ad6e38ae7996b786
SHA1 182d6a3c3cae0e5954b0c23e39577846fdd0983b
SHA256 5fb7ac419931189b181a54705418ac2329ba195e4b2f20ef1085650cfe858064
SHA512 90c62064c4a990bf5682abaf30017e007a39b12da814de10e5bad66103d176df5fcf93a53fefe68140a37576e92ff876d4c7fb2887c8735e3d12f6d1c19cde42

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

MD5 2514aea1eb1e7017ad6e38ae7996b786
SHA1 182d6a3c3cae0e5954b0c23e39577846fdd0983b
SHA256 5fb7ac419931189b181a54705418ac2329ba195e4b2f20ef1085650cfe858064
SHA512 90c62064c4a990bf5682abaf30017e007a39b12da814de10e5bad66103d176df5fcf93a53fefe68140a37576e92ff876d4c7fb2887c8735e3d12f6d1c19cde42

\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

MD5 2514aea1eb1e7017ad6e38ae7996b786
SHA1 182d6a3c3cae0e5954b0c23e39577846fdd0983b
SHA256 5fb7ac419931189b181a54705418ac2329ba195e4b2f20ef1085650cfe858064
SHA512 90c62064c4a990bf5682abaf30017e007a39b12da814de10e5bad66103d176df5fcf93a53fefe68140a37576e92ff876d4c7fb2887c8735e3d12f6d1c19cde42

memory/2740-36-0x0000000000DF0000-0x0000000000E20000-memory.dmp

memory/2740-37-0x0000000000360000-0x0000000000366000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-09-10 13:37

Reported

2023-09-10 13:40

Platform

win10v2004-20230831-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe"

Signatures

RedLine

infostealer redline

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{73FC3073-BB60-4FC9-B469-B26FDFD92484}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\System32\svchost.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\System32\svchost.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3892 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe
PID 3892 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe
PID 3892 wrote to memory of 3520 N/A C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe
PID 3520 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe
PID 3520 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe
PID 3520 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe
PID 3068 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe
PID 3068 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe
PID 3068 wrote to memory of 3468 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe
PID 3068 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe
PID 3068 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe
PID 3068 wrote to memory of 4148 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe

"C:\Users\Admin\AppData\Local\Temp\458aeb444a66350118741f27c1f40bf4.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 126.210.247.8.in-addr.arpa udp
RU 5.42.92.211:80 5.42.92.211 tcp
US 8.8.8.8:53 211.92.42.5.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
FI 77.91.124.82:19071 tcp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe

MD5 98825ce1571804b7d16789eeb6b66ecd
SHA1 b8336b775ec312f7147db06a78996a74d962cfca
SHA256 fd666a68050a49b695358a02c921df69e353d5a99a27d896802c9e31c5a2b9eb
SHA512 86d4c1432e9b3731bd2eb9ed29e6076a0b15ef5e78f25f480aeede375ed817666e07f06ea6acf79ad45eb56610b2740aa53803823a7752f90125a8826b221a86

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\y7435095.exe

MD5 98825ce1571804b7d16789eeb6b66ecd
SHA1 b8336b775ec312f7147db06a78996a74d962cfca
SHA256 fd666a68050a49b695358a02c921df69e353d5a99a27d896802c9e31c5a2b9eb
SHA512 86d4c1432e9b3731bd2eb9ed29e6076a0b15ef5e78f25f480aeede375ed817666e07f06ea6acf79ad45eb56610b2740aa53803823a7752f90125a8826b221a86

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe

MD5 f803632a1b21849275a12c06be27b37f
SHA1 91d7237b06123a2f0131fd2ef93779d61cdaa639
SHA256 10dbf875740319e882923a3fdd98179c7fe21addd63f9b9a82db94c64138960d
SHA512 8cbbf05a3af70358a32d44ab4f2d7d6b41d2209cefa89f0aa2e509b02c8d8ef458850ab64e0b5d65f546cf2e0471958fc7507311c116e72397fe0a06030f39b4

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\y1486438.exe

MD5 f803632a1b21849275a12c06be27b37f
SHA1 91d7237b06123a2f0131fd2ef93779d61cdaa639
SHA256 10dbf875740319e882923a3fdd98179c7fe21addd63f9b9a82db94c64138960d
SHA512 8cbbf05a3af70358a32d44ab4f2d7d6b41d2209cefa89f0aa2e509b02c8d8ef458850ab64e0b5d65f546cf2e0471958fc7507311c116e72397fe0a06030f39b4

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe

MD5 a2d464901e560f757cb597a86607a656
SHA1 a6e8c4f954143aaee522d692bfdbe8bf0258a35e
SHA256 dcca55a5c13bbe96d2e6edee9ad7279f7f0fa0c62db387b2a65a61242f462239
SHA512 0ce1261c532d3f7bf784b0a55184af79408ea124eb5137f0119e0a30e0b1b4b008722408ece8e40ec199b76e565ece523966304bf7c762489620b8588222ffeb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\m8040720.exe

MD5 a2d464901e560f757cb597a86607a656
SHA1 a6e8c4f954143aaee522d692bfdbe8bf0258a35e
SHA256 dcca55a5c13bbe96d2e6edee9ad7279f7f0fa0c62db387b2a65a61242f462239
SHA512 0ce1261c532d3f7bf784b0a55184af79408ea124eb5137f0119e0a30e0b1b4b008722408ece8e40ec199b76e565ece523966304bf7c762489620b8588222ffeb

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

MD5 2514aea1eb1e7017ad6e38ae7996b786
SHA1 182d6a3c3cae0e5954b0c23e39577846fdd0983b
SHA256 5fb7ac419931189b181a54705418ac2329ba195e4b2f20ef1085650cfe858064
SHA512 90c62064c4a990bf5682abaf30017e007a39b12da814de10e5bad66103d176df5fcf93a53fefe68140a37576e92ff876d4c7fb2887c8735e3d12f6d1c19cde42

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\n5564874.exe

MD5 2514aea1eb1e7017ad6e38ae7996b786
SHA1 182d6a3c3cae0e5954b0c23e39577846fdd0983b
SHA256 5fb7ac419931189b181a54705418ac2329ba195e4b2f20ef1085650cfe858064
SHA512 90c62064c4a990bf5682abaf30017e007a39b12da814de10e5bad66103d176df5fcf93a53fefe68140a37576e92ff876d4c7fb2887c8735e3d12f6d1c19cde42

memory/4148-24-0x0000000000AA0000-0x0000000000AD0000-memory.dmp

memory/4148-25-0x00000000744E0000-0x0000000074C90000-memory.dmp

memory/4148-26-0x000000000AF00000-0x000000000B518000-memory.dmp

memory/4148-27-0x000000000AA50000-0x000000000AB5A000-memory.dmp

memory/4148-28-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/4148-29-0x000000000A990000-0x000000000A9A2000-memory.dmp

memory/4148-30-0x000000000A9F0000-0x000000000AA2C000-memory.dmp

memory/4148-32-0x00000000744E0000-0x0000000074C90000-memory.dmp

memory/4148-33-0x00000000053D0000-0x00000000053E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wsuAB92.tmp

MD5 c01eaa0bdcd7c30a42bbb35a9acbf574
SHA1 0aee3e1b873e41d040f1991819d0027b6cc68f54
SHA256 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512 d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7