Analysis
-
max time kernel
156s -
max time network
174s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2023 19:49
Static task
static1
Behavioral task
behavioral1
Sample
3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe
-
Size
1.0MB
-
MD5
cc877a6758666b7cc93b104f64fe10e6
-
SHA1
a3750bacf4316ce1a35ca0dc2939cf222eccbf1d
-
SHA256
3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7
-
SHA512
8aecc5400349f5390b8a2b62e792172eeebd6f419d3f0855d534ba98c5da2fe4dfa54d62b9ccb9993e103bcd0e074a00fac330752f91bdfee71ed798bdaf4da9
-
SSDEEP
12288:9Mriy90DO2jm/aTCHWrGRRNHVc5MXvxfCx5sJwzih14ZwcWqFSVl2ZXZPLPKs+hU:by6jTfkRcWpax5qw2r4ScGVgvTmZF7S
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Extracted
amadey
3.89
http://77.91.124.1/theme/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
Signatures
-
Detects Healer an antivirus disabler dropper 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4991198.exe healer C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4991198.exe healer behavioral2/memory/4684-35-0x0000000000A70000-0x0000000000A7A000-memory.dmp healer -
Processes:
q4991198.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" q4991198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" q4991198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" q4991198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" q4991198.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection q4991198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" q4991198.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
u8067762.exelegota.exet1184492.exeexplothe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation u8067762.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation legota.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation t1184492.exe Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation explothe.exe -
Executes dropped EXE 14 IoCs
Processes:
z1625615.exez8167961.exez1788813.exez8273431.exeq4991198.exer9230333.exes3868803.exet1184492.exeexplothe.exeu8067762.exelegota.exew8781755.exeexplothe.exelegota.exepid process 4244 z1625615.exe 3360 z8167961.exe 1268 z1788813.exe 1768 z8273431.exe 4684 q4991198.exe 2696 r9230333.exe 5076 s3868803.exe 1356 t1184492.exe 392 explothe.exe 3612 u8067762.exe 208 legota.exe 4092 w8781755.exe 4460 explothe.exe 5084 legota.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 1160 rundll32.exe 1600 rundll32.exe -
Processes:
q4991198.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" q4991198.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
z8273431.exe3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exez1625615.exez8167961.exez1788813.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z8273431.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z1625615.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z8167961.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z1788813.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
r9230333.exes3868803.exedescription pid process target process PID 2696 set thread context of 1192 2696 r9230333.exe AppLaunch.exe PID 5076 set thread context of 5080 5076 s3868803.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1564 1192 WerFault.exe AppLaunch.exe 4156 2696 WerFault.exe r9230333.exe 2288 5076 WerFault.exe s3868803.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4356 schtasks.exe 2396 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
q4991198.exepid process 4684 q4991198.exe 4684 q4991198.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
q4991198.exedescription pid process Token: SeDebugPrivilege 4684 q4991198.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exez1625615.exez8167961.exez1788813.exez8273431.exer9230333.exes3868803.exet1184492.exeexplothe.exeu8067762.exedescription pid process target process PID 1932 wrote to memory of 4244 1932 3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe z1625615.exe PID 1932 wrote to memory of 4244 1932 3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe z1625615.exe PID 1932 wrote to memory of 4244 1932 3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe z1625615.exe PID 4244 wrote to memory of 3360 4244 z1625615.exe z8167961.exe PID 4244 wrote to memory of 3360 4244 z1625615.exe z8167961.exe PID 4244 wrote to memory of 3360 4244 z1625615.exe z8167961.exe PID 3360 wrote to memory of 1268 3360 z8167961.exe z1788813.exe PID 3360 wrote to memory of 1268 3360 z8167961.exe z1788813.exe PID 3360 wrote to memory of 1268 3360 z8167961.exe z1788813.exe PID 1268 wrote to memory of 1768 1268 z1788813.exe z8273431.exe PID 1268 wrote to memory of 1768 1268 z1788813.exe z8273431.exe PID 1268 wrote to memory of 1768 1268 z1788813.exe z8273431.exe PID 1768 wrote to memory of 4684 1768 z8273431.exe q4991198.exe PID 1768 wrote to memory of 4684 1768 z8273431.exe q4991198.exe PID 1768 wrote to memory of 2696 1768 z8273431.exe r9230333.exe PID 1768 wrote to memory of 2696 1768 z8273431.exe r9230333.exe PID 1768 wrote to memory of 2696 1768 z8273431.exe r9230333.exe PID 2696 wrote to memory of 748 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 748 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 748 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 3796 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 3796 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 3796 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 1192 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 1192 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 1192 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 1192 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 1192 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 1192 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 1192 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 1192 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 1192 2696 r9230333.exe AppLaunch.exe PID 2696 wrote to memory of 1192 2696 r9230333.exe AppLaunch.exe PID 1268 wrote to memory of 5076 1268 z1788813.exe s3868803.exe PID 1268 wrote to memory of 5076 1268 z1788813.exe s3868803.exe PID 1268 wrote to memory of 5076 1268 z1788813.exe s3868803.exe PID 5076 wrote to memory of 5080 5076 s3868803.exe AppLaunch.exe PID 5076 wrote to memory of 5080 5076 s3868803.exe AppLaunch.exe PID 5076 wrote to memory of 5080 5076 s3868803.exe AppLaunch.exe PID 5076 wrote to memory of 5080 5076 s3868803.exe AppLaunch.exe PID 5076 wrote to memory of 5080 5076 s3868803.exe AppLaunch.exe PID 5076 wrote to memory of 5080 5076 s3868803.exe AppLaunch.exe PID 5076 wrote to memory of 5080 5076 s3868803.exe AppLaunch.exe PID 5076 wrote to memory of 5080 5076 s3868803.exe AppLaunch.exe PID 3360 wrote to memory of 1356 3360 z8167961.exe t1184492.exe PID 3360 wrote to memory of 1356 3360 z8167961.exe t1184492.exe PID 3360 wrote to memory of 1356 3360 z8167961.exe t1184492.exe PID 1356 wrote to memory of 392 1356 t1184492.exe explothe.exe PID 1356 wrote to memory of 392 1356 t1184492.exe explothe.exe PID 1356 wrote to memory of 392 1356 t1184492.exe explothe.exe PID 4244 wrote to memory of 3612 4244 z1625615.exe u8067762.exe PID 4244 wrote to memory of 3612 4244 z1625615.exe u8067762.exe PID 4244 wrote to memory of 3612 4244 z1625615.exe u8067762.exe PID 392 wrote to memory of 4356 392 explothe.exe schtasks.exe PID 392 wrote to memory of 4356 392 explothe.exe schtasks.exe PID 392 wrote to memory of 4356 392 explothe.exe schtasks.exe PID 392 wrote to memory of 932 392 explothe.exe cmd.exe PID 392 wrote to memory of 932 392 explothe.exe cmd.exe PID 392 wrote to memory of 932 392 explothe.exe cmd.exe PID 3612 wrote to memory of 208 3612 u8067762.exe legota.exe PID 3612 wrote to memory of 208 3612 u8067762.exe legota.exe PID 3612 wrote to memory of 208 3612 u8067762.exe legota.exe PID 1932 wrote to memory of 4092 1932 3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe w8781755.exe PID 1932 wrote to memory of 4092 1932 3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe w8781755.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe"C:\Users\Admin\AppData\Local\Temp\3f05fa13fc8fa66ccce4360bd4579998b081cfb096faf148e7df1a84f487dad7_JC.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1625615.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1625615.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8167961.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8167961.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3360 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1788813.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1788813.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8273431.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8273431.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4991198.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4991198.exe6⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9230333.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9230333.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:748
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:3796
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:1192
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1192 -s 5408⤵
- Program crash
PID:1564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2696 -s 5847⤵
- Program crash
PID:4156 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3868803.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3868803.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵PID:5080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 1526⤵
- Program crash
PID:2288 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1184492.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1184492.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F6⤵
- Creates scheduled task(s)
PID:4356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵PID:932
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:820
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"7⤵PID:3604
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E7⤵PID:2208
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵PID:3764
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵PID:3032
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵PID:1528
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8067762.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8067762.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
PID:208 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F5⤵
- Creates scheduled task(s)
PID:2396 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit5⤵PID:1724
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:2284
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:N"6⤵PID:4476
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:R" /E6⤵PID:4460
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4824
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:N"6⤵PID:4916
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:R" /E6⤵PID:4956
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Loads dropped DLL
PID:1160 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8781755.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8781755.exe2⤵
- Executes dropped EXE
PID:4092
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1192 -ip 11921⤵PID:212
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2696 -ip 26961⤵PID:556
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 5076 -ip 50761⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:4460
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
PID:5084
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8781755.exeFilesize
23KB
MD554445bba2c4118ba46b8489cae3a8f94
SHA190574eef2929f36c70d747d8cad0258df0b76b12
SHA256b27d7fcd86d9858c5fd9a1b9fb9f2db229fa79af506fbb163a6fad99509e3b43
SHA5121af09ad6fb9bba953b624c911618f01a22e70547b32b6f700bb061b6b07cda205499cd75583c561b4ede7ee28779575dc2145e6f512a6cda0198b921c7b11542
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w8781755.exeFilesize
23KB
MD554445bba2c4118ba46b8489cae3a8f94
SHA190574eef2929f36c70d747d8cad0258df0b76b12
SHA256b27d7fcd86d9858c5fd9a1b9fb9f2db229fa79af506fbb163a6fad99509e3b43
SHA5121af09ad6fb9bba953b624c911618f01a22e70547b32b6f700bb061b6b07cda205499cd75583c561b4ede7ee28779575dc2145e6f512a6cda0198b921c7b11542
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1625615.exeFilesize
972KB
MD5df48378a0f7e1d1ff3b7691fec3325f5
SHA1832f49fdf5a2e5b11ace7c5587f3427cd6295b47
SHA256c025fc004ab4236c0332cbfdd0f9d8316ef3b995d52c4ebbff8a8b26e32a74da
SHA512543e097b4def79368cfb241a19c3f345e499e54a45e6e5368c1bf5538c93615383d5c995745fcfc8acaba06bdf99bcd82fe7be6e8cff837dd2d474b25b6d1b1b
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z1625615.exeFilesize
972KB
MD5df48378a0f7e1d1ff3b7691fec3325f5
SHA1832f49fdf5a2e5b11ace7c5587f3427cd6295b47
SHA256c025fc004ab4236c0332cbfdd0f9d8316ef3b995d52c4ebbff8a8b26e32a74da
SHA512543e097b4def79368cfb241a19c3f345e499e54a45e6e5368c1bf5538c93615383d5c995745fcfc8acaba06bdf99bcd82fe7be6e8cff837dd2d474b25b6d1b1b
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8067762.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u8067762.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8167961.exeFilesize
789KB
MD553fa74c69752e7e38d0a1c437b087e87
SHA10ce737f30bc632f031566b0e46234da92a74abf5
SHA2565577f2224329d3af4e7ca137513acdb69cc996cb1ed2bcc62481afecf9ec862f
SHA5120668a5b377b37dcacd6048604cb24c1f7909ba3d5c85cd1aad6d2d83c7e63b8f35832d209b01e3a4c56a8c6d2bc504497f3ce4d63e8d8e30f332d852e59c5be4
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z8167961.exeFilesize
789KB
MD553fa74c69752e7e38d0a1c437b087e87
SHA10ce737f30bc632f031566b0e46234da92a74abf5
SHA2565577f2224329d3af4e7ca137513acdb69cc996cb1ed2bcc62481afecf9ec862f
SHA5120668a5b377b37dcacd6048604cb24c1f7909ba3d5c85cd1aad6d2d83c7e63b8f35832d209b01e3a4c56a8c6d2bc504497f3ce4d63e8d8e30f332d852e59c5be4
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1184492.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t1184492.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1788813.exeFilesize
606KB
MD532bfb004316d7b65f8c0315a9557bf1b
SHA1c960c3d110aee404049e099298426f5a39b2ab07
SHA256e59e10c631b857acaa1b378e5673aae9f44aadff236255c9eb76ee1c176faa4f
SHA5120c1c33dea6cf7c9e09057b9f7487ff2c8d1f72f8f2a59c3355d7f773aa6b45ddffe6aea98d6dfb735cb506ca2693bf49297e8f8a211b7c758eefad055c2a2673
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z1788813.exeFilesize
606KB
MD532bfb004316d7b65f8c0315a9557bf1b
SHA1c960c3d110aee404049e099298426f5a39b2ab07
SHA256e59e10c631b857acaa1b378e5673aae9f44aadff236255c9eb76ee1c176faa4f
SHA5120c1c33dea6cf7c9e09057b9f7487ff2c8d1f72f8f2a59c3355d7f773aa6b45ddffe6aea98d6dfb735cb506ca2693bf49297e8f8a211b7c758eefad055c2a2673
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3868803.exeFilesize
390KB
MD54151105cebbbfd69876a925c31a2aad6
SHA19b3d70a86264e279d92152e81c7c18951b97e961
SHA2561a41898c0f5a8e45d7dc883b42d30384c29ee52d09dd3879052a16cafc002669
SHA512632afe3f2f2f77c58e75f9a92a449c7ec055a14c5d7ea5078e2249a3ee81043016a43dfdcfb939f851258233c0b69911a97874c0e82ec509cfb275b64578bb1f
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s3868803.exeFilesize
390KB
MD54151105cebbbfd69876a925c31a2aad6
SHA19b3d70a86264e279d92152e81c7c18951b97e961
SHA2561a41898c0f5a8e45d7dc883b42d30384c29ee52d09dd3879052a16cafc002669
SHA512632afe3f2f2f77c58e75f9a92a449c7ec055a14c5d7ea5078e2249a3ee81043016a43dfdcfb939f851258233c0b69911a97874c0e82ec509cfb275b64578bb1f
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8273431.exeFilesize
335KB
MD5a773a8bb0ff6c9d233095f93dec5b94d
SHA1ad785dd83398eed836c49afbb752314ad22c871f
SHA25645a03c3727c5e4eb5ad7929cfc9bc5154959c3b348fb36f094c35bb3bdeea772
SHA512ec69caecac23746c939cbad6b73979d129f2c4b16b6f090eeca1ecfca237f196ed99f2be2264c4234ffa3acc2c43f68914f9b143e5004ce701193fefd2f6d76c
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8273431.exeFilesize
335KB
MD5a773a8bb0ff6c9d233095f93dec5b94d
SHA1ad785dd83398eed836c49afbb752314ad22c871f
SHA25645a03c3727c5e4eb5ad7929cfc9bc5154959c3b348fb36f094c35bb3bdeea772
SHA512ec69caecac23746c939cbad6b73979d129f2c4b16b6f090eeca1ecfca237f196ed99f2be2264c4234ffa3acc2c43f68914f9b143e5004ce701193fefd2f6d76c
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4991198.exeFilesize
11KB
MD56fd0be63aa8a65b2493c4b3603bce8d0
SHA18c863c4fdbec6bba661c64d9029a1a33f69b5abc
SHA256a072db61cc4dbd41317f758378435870693812c3f2d431ef69188d49bb01bb5c
SHA5128efed7997bc25b4b3949b7dd588ba872b17dc8d01d43a60c8fcb32b9380a165765389ecae5389c1305be494044aa63ccb024566938820523dd0bd50bbcc1be1b
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q4991198.exeFilesize
11KB
MD56fd0be63aa8a65b2493c4b3603bce8d0
SHA18c863c4fdbec6bba661c64d9029a1a33f69b5abc
SHA256a072db61cc4dbd41317f758378435870693812c3f2d431ef69188d49bb01bb5c
SHA5128efed7997bc25b4b3949b7dd588ba872b17dc8d01d43a60c8fcb32b9380a165765389ecae5389c1305be494044aa63ccb024566938820523dd0bd50bbcc1be1b
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9230333.exeFilesize
356KB
MD515a73979134d925ec46c6ac90a2cf02c
SHA131e1cff66b31b244df909aa1919953a134d1fb90
SHA2560fe4db718b0249b7716ba1f694ec7da301e82763e9a095cef885616ad9d7ac72
SHA512d0ab1ca27e8843710275e00a2964ed30ad05b2585e312abeb335fa369c677d86a7593a39956d4e15ed0db901207b814c9cb90d8aba132431e2c64675fa6db7ae
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9230333.exeFilesize
356KB
MD515a73979134d925ec46c6ac90a2cf02c
SHA131e1cff66b31b244df909aa1919953a134d1fb90
SHA2560fe4db718b0249b7716ba1f694ec7da301e82763e9a095cef885616ad9d7ac72
SHA512d0ab1ca27e8843710275e00a2964ed30ad05b2585e312abeb335fa369c677d86a7593a39956d4e15ed0db901207b814c9cb90d8aba132431e2c64675fa6db7ae
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeFilesize
219KB
MD54bd59a6b3207f99fc3435baf3c22bc4e
SHA1ae90587beed289f177f4143a8380ba27109d0a6f
SHA25608e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD5e913b0d252d36f7c9b71268df4f634fb
SHA15ac70d8793712bcd8ede477071146bbb42d3f018
SHA2564cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA5123ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
273B
MD5a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA15aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA2565f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA5123cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
273B
MD56d5040418450624fef735b49ec6bffe9
SHA15fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0
-
memory/1192-46-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1192-44-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1192-43-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/1192-42-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4684-35-0x0000000000A70000-0x0000000000A7A000-memory.dmpFilesize
40KB
-
memory/4684-38-0x00007FF9B3630000-0x00007FF9B40F1000-memory.dmpFilesize
10.8MB
-
memory/4684-36-0x00007FF9B3630000-0x00007FF9B40F1000-memory.dmpFilesize
10.8MB
-
memory/5080-65-0x0000000004E10000-0x0000000004E20000-memory.dmpFilesize
64KB
-
memory/5080-87-0x0000000004E10000-0x0000000004E20000-memory.dmpFilesize
64KB
-
memory/5080-86-0x0000000072F80000-0x0000000073730000-memory.dmpFilesize
7.7MB
-
memory/5080-75-0x0000000005060000-0x00000000050AC000-memory.dmpFilesize
304KB
-
memory/5080-69-0x0000000004EE0000-0x0000000004F1C000-memory.dmpFilesize
240KB
-
memory/5080-50-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/5080-64-0x0000000004E80000-0x0000000004E92000-memory.dmpFilesize
72KB
-
memory/5080-63-0x0000000004F50000-0x000000000505A000-memory.dmpFilesize
1.0MB
-
memory/5080-62-0x0000000005440000-0x0000000005A58000-memory.dmpFilesize
6.1MB
-
memory/5080-57-0x0000000002890000-0x0000000002896000-memory.dmpFilesize
24KB
-
memory/5080-54-0x0000000072F80000-0x0000000073730000-memory.dmpFilesize
7.7MB