Analysis
-
max time kernel
147s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 07:33
Static task
static1
Behavioral task
behavioral1
Sample
6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6.exe
Resource
win7-20230831-en
General
-
Target
6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6.exe
-
Size
1.0MB
-
MD5
8ef1c3e0d925499f929b4e4868ddc085
-
SHA1
873fa198819496fac3e44c40b98adddfa8f469cd
-
SHA256
6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6
-
SHA512
95e763f972706111581473aa0a5c3085e4bc6758c1645f24161207ce749a938fc9522cff8a4f2a80089df44fe5cf47ef90a9c7f5073634a2ef72a92e3efd20af
-
SSDEEP
24576:qyInohCPiXc4Y4AHuNGFkS6gb/vMwL0da1F37ZfQfKR++EMUr8M:xjh1UfHuNGfzbMc1F37ef/+dUr8
Malware Config
Extracted
redline
gruha
77.91.124.55:19071
-
auth_value
2f4cf2e668a540e64775b27535cc6892
Extracted
amadey
3.89
http://77.91.68.52/mac/index.php
http://77.91.68.78/help/index.php
-
install_dir
fefffe8cea
-
install_file
explonde.exe
-
strings_key
916aae73606d7a9e02a1d3b47c199688
Signatures
-
Detect Mystic stealer payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/4204-40-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4204-41-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4204-42-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic behavioral2/memory/4204-44-0x0000000000400000-0x0000000000428000-memory.dmp family_mystic -
Detects Healer an antivirus disabler dropper 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4312-35-0x0000000000400000-0x000000000040A000-memory.dmp healer -
Processes:
AppLaunch.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
t9574708.exeexplonde.exeu5410901.exelegota.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation t9574708.exe Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation explonde.exe Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation u5410901.exe Key value queried \REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation legota.exe -
Executes dropped EXE 16 IoCs
Processes:
z8166344.exez5235526.exez8494544.exez9135775.exeq3108261.exer2337546.exes9755640.exet9574708.exeexplonde.exeu5410901.exelegota.exew4942505.exeexplonde.exelegota.exeexplonde.exelegota.exepid process 1948 z8166344.exe 3200 z5235526.exe 3740 z8494544.exe 2088 z9135775.exe 4668 q3108261.exe 4960 r2337546.exe 4628 s9755640.exe 2880 t9574708.exe 5104 explonde.exe 3480 u5410901.exe 4548 legota.exe 4848 w4942505.exe 1468 explonde.exe 2068 legota.exe 4552 explonde.exe 4344 legota.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exerundll32.exepid process 3636 rundll32.exe 3712 rundll32.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
z9135775.exe6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6.exez8166344.exez5235526.exez8494544.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" z9135775.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" z8166344.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" z5235526.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" z8494544.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
q3108261.exer2337546.exes9755640.exedescription pid process target process PID 4668 set thread context of 4312 4668 q3108261.exe AppLaunch.exe PID 4960 set thread context of 4204 4960 r2337546.exe AppLaunch.exe PID 4628 set thread context of 4888 4628 s9755640.exe AppLaunch.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1276 4668 WerFault.exe q3108261.exe 3976 4960 WerFault.exe r2337546.exe 3684 4204 WerFault.exe AppLaunch.exe 4680 4628 WerFault.exe s9755640.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 4164 schtasks.exe 2996 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 4312 AppLaunch.exe 4312 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 4312 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6.exez8166344.exez5235526.exez8494544.exez9135775.exeq3108261.exer2337546.exes9755640.exet9574708.exeexplonde.exeu5410901.exedescription pid process target process PID 3940 wrote to memory of 1948 3940 6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6.exe z8166344.exe PID 3940 wrote to memory of 1948 3940 6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6.exe z8166344.exe PID 3940 wrote to memory of 1948 3940 6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6.exe z8166344.exe PID 1948 wrote to memory of 3200 1948 z8166344.exe z5235526.exe PID 1948 wrote to memory of 3200 1948 z8166344.exe z5235526.exe PID 1948 wrote to memory of 3200 1948 z8166344.exe z5235526.exe PID 3200 wrote to memory of 3740 3200 z5235526.exe z8494544.exe PID 3200 wrote to memory of 3740 3200 z5235526.exe z8494544.exe PID 3200 wrote to memory of 3740 3200 z5235526.exe z8494544.exe PID 3740 wrote to memory of 2088 3740 z8494544.exe z9135775.exe PID 3740 wrote to memory of 2088 3740 z8494544.exe z9135775.exe PID 3740 wrote to memory of 2088 3740 z8494544.exe z9135775.exe PID 2088 wrote to memory of 4668 2088 z9135775.exe q3108261.exe PID 2088 wrote to memory of 4668 2088 z9135775.exe q3108261.exe PID 2088 wrote to memory of 4668 2088 z9135775.exe q3108261.exe PID 4668 wrote to memory of 4312 4668 q3108261.exe AppLaunch.exe PID 4668 wrote to memory of 4312 4668 q3108261.exe AppLaunch.exe PID 4668 wrote to memory of 4312 4668 q3108261.exe AppLaunch.exe PID 4668 wrote to memory of 4312 4668 q3108261.exe AppLaunch.exe PID 4668 wrote to memory of 4312 4668 q3108261.exe AppLaunch.exe PID 4668 wrote to memory of 4312 4668 q3108261.exe AppLaunch.exe PID 4668 wrote to memory of 4312 4668 q3108261.exe AppLaunch.exe PID 4668 wrote to memory of 4312 4668 q3108261.exe AppLaunch.exe PID 2088 wrote to memory of 4960 2088 z9135775.exe r2337546.exe PID 2088 wrote to memory of 4960 2088 z9135775.exe r2337546.exe PID 2088 wrote to memory of 4960 2088 z9135775.exe r2337546.exe PID 4960 wrote to memory of 4204 4960 r2337546.exe AppLaunch.exe PID 4960 wrote to memory of 4204 4960 r2337546.exe AppLaunch.exe PID 4960 wrote to memory of 4204 4960 r2337546.exe AppLaunch.exe PID 4960 wrote to memory of 4204 4960 r2337546.exe AppLaunch.exe PID 4960 wrote to memory of 4204 4960 r2337546.exe AppLaunch.exe PID 4960 wrote to memory of 4204 4960 r2337546.exe AppLaunch.exe PID 4960 wrote to memory of 4204 4960 r2337546.exe AppLaunch.exe PID 4960 wrote to memory of 4204 4960 r2337546.exe AppLaunch.exe PID 4960 wrote to memory of 4204 4960 r2337546.exe AppLaunch.exe PID 4960 wrote to memory of 4204 4960 r2337546.exe AppLaunch.exe PID 3740 wrote to memory of 4628 3740 z8494544.exe s9755640.exe PID 3740 wrote to memory of 4628 3740 z8494544.exe s9755640.exe PID 3740 wrote to memory of 4628 3740 z8494544.exe s9755640.exe PID 4628 wrote to memory of 4888 4628 s9755640.exe AppLaunch.exe PID 4628 wrote to memory of 4888 4628 s9755640.exe AppLaunch.exe PID 4628 wrote to memory of 4888 4628 s9755640.exe AppLaunch.exe PID 4628 wrote to memory of 4888 4628 s9755640.exe AppLaunch.exe PID 4628 wrote to memory of 4888 4628 s9755640.exe AppLaunch.exe PID 4628 wrote to memory of 4888 4628 s9755640.exe AppLaunch.exe PID 4628 wrote to memory of 4888 4628 s9755640.exe AppLaunch.exe PID 4628 wrote to memory of 4888 4628 s9755640.exe AppLaunch.exe PID 3200 wrote to memory of 2880 3200 z5235526.exe t9574708.exe PID 3200 wrote to memory of 2880 3200 z5235526.exe t9574708.exe PID 3200 wrote to memory of 2880 3200 z5235526.exe t9574708.exe PID 2880 wrote to memory of 5104 2880 t9574708.exe explonde.exe PID 2880 wrote to memory of 5104 2880 t9574708.exe explonde.exe PID 2880 wrote to memory of 5104 2880 t9574708.exe explonde.exe PID 1948 wrote to memory of 3480 1948 z8166344.exe u5410901.exe PID 1948 wrote to memory of 3480 1948 z8166344.exe u5410901.exe PID 1948 wrote to memory of 3480 1948 z8166344.exe u5410901.exe PID 5104 wrote to memory of 4164 5104 explonde.exe schtasks.exe PID 5104 wrote to memory of 4164 5104 explonde.exe schtasks.exe PID 5104 wrote to memory of 4164 5104 explonde.exe schtasks.exe PID 5104 wrote to memory of 3396 5104 explonde.exe cmd.exe PID 5104 wrote to memory of 3396 5104 explonde.exe cmd.exe PID 5104 wrote to memory of 3396 5104 explonde.exe cmd.exe PID 3480 wrote to memory of 4548 3480 u5410901.exe legota.exe PID 3480 wrote to memory of 4548 3480 u5410901.exe legota.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6.exe"C:\Users\Admin\AppData\Local\Temp\6ee17d3e18133021afbda0626f131f0ca6ea34ad6676d93188f6a2b4cbbeb2a6.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8166344.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8166344.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5235526.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5235526.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8494544.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8494544.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9135775.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9135775.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3108261.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3108261.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4668 -s 1527⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2337546.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2337546.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4204 -s 5408⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4960 -s 1487⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9755640.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9755640.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4628 -s 5846⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9574708.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9574708.exe4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explonde.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe" /F6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explonde.exe" /P "Admin:N"&&CACLS "explonde.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "explonde.exe" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"7⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E7⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main6⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5410901.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5410901.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F5⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit5⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "legota.exe" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:N"6⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\cb378487cf" /P "Admin:R" /E6⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w4942505.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w4942505.exe2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4668 -ip 46681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4960 -ip 49601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4204 -ip 42041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4628 -ip 46281⤵
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeC:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w4942505.exeFilesize
22KB
MD5963aeebf716931124435228486484c9c
SHA1f8ed667b04939f6155eff4337d36461b3c4f8af3
SHA2563f752b1bd58c7359a96f15f6b7601da9d20691b472567b47f11d2eb7d53ea45e
SHA512cbc53f2291bdfe600e113862478337878b9ce4056d2c2df5d8108254a13ef185b686b88673c2799297ce8fb07313f151dba0393a8a13d3762de0849bb07a75a7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w4942505.exeFilesize
22KB
MD5963aeebf716931124435228486484c9c
SHA1f8ed667b04939f6155eff4337d36461b3c4f8af3
SHA2563f752b1bd58c7359a96f15f6b7601da9d20691b472567b47f11d2eb7d53ea45e
SHA512cbc53f2291bdfe600e113862478337878b9ce4056d2c2df5d8108254a13ef185b686b88673c2799297ce8fb07313f151dba0393a8a13d3762de0849bb07a75a7
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8166344.exeFilesize
966KB
MD5601c376b37ab6f79dde6b730a2051bbd
SHA165ecae31ad413905afabe5ce8b21f8bbd31319d9
SHA256823c6d3d660f22bb0f5d3bd1f2dee5879c99497a2024e5d05cb7c8ae63bb18a1
SHA51220284080b0ad16d4f656aea39f33fa629bcbdec901ff4cacdf283dd7b3f5963dd31760f7f764e13d48e5f1a4633bc789229cbf9ef33730f4ba78cebefbd752db
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z8166344.exeFilesize
966KB
MD5601c376b37ab6f79dde6b730a2051bbd
SHA165ecae31ad413905afabe5ce8b21f8bbd31319d9
SHA256823c6d3d660f22bb0f5d3bd1f2dee5879c99497a2024e5d05cb7c8ae63bb18a1
SHA51220284080b0ad16d4f656aea39f33fa629bcbdec901ff4cacdf283dd7b3f5963dd31760f7f764e13d48e5f1a4633bc789229cbf9ef33730f4ba78cebefbd752db
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5410901.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u5410901.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5235526.exeFilesize
783KB
MD5ee3fb9ec2481c73ccb318435d9f6e55f
SHA1d6742b04a02cd941fbf153c5da0f867cf4ae0287
SHA2562c1ddda54ac178baddb032f9c75b45868f4264d221a7857fbbeaf6156420259c
SHA512594a0f75a9cb9bb22936d637fd1f64cf3f57483bab8c1bb8ccedf67188a0ce28ee5fba5854e4cb1291e777c9285819ad46a578c7a33cbc7916627727bd58c5ef
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5235526.exeFilesize
783KB
MD5ee3fb9ec2481c73ccb318435d9f6e55f
SHA1d6742b04a02cd941fbf153c5da0f867cf4ae0287
SHA2562c1ddda54ac178baddb032f9c75b45868f4264d221a7857fbbeaf6156420259c
SHA512594a0f75a9cb9bb22936d637fd1f64cf3f57483bab8c1bb8ccedf67188a0ce28ee5fba5854e4cb1291e777c9285819ad46a578c7a33cbc7916627727bd58c5ef
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9574708.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t9574708.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8494544.exeFilesize
601KB
MD5bdd9f75f0fa8de43d4f23cc911753a1f
SHA198c9154c77d683df6e88fd7392de01ddd211d4e7
SHA256473cb1f07416f0c46ec6d4f3e03b2536127a31886074dd0869a2a021533ecc49
SHA512a4925b2a8b16e1827cdbd805db325670e35baf7e8f20e6b29ab5b378770d86f1226ab40e4b3b6effaa11388d5082298d17d977b539e76ee06497a8c264fb7952
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8494544.exeFilesize
601KB
MD5bdd9f75f0fa8de43d4f23cc911753a1f
SHA198c9154c77d683df6e88fd7392de01ddd211d4e7
SHA256473cb1f07416f0c46ec6d4f3e03b2536127a31886074dd0869a2a021533ecc49
SHA512a4925b2a8b16e1827cdbd805db325670e35baf7e8f20e6b29ab5b378770d86f1226ab40e4b3b6effaa11388d5082298d17d977b539e76ee06497a8c264fb7952
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9755640.exeFilesize
380KB
MD589ac03d80a2ce64c2ad35a0ce1e828e2
SHA1fedf431213526cbea6ef14885e33fee076dff61c
SHA2566a1f8797ebdd4e037b26689bd9772c6f6df69b8fec94c99a934c01102ed43b63
SHA5122ed344bc47de944c93ef8b51547aa6208a8801a7a789e884570ba99b173c2559e395a9cd33d0b85e3e71525f9ef155d7dd5d0a8cb8f73f899afc11d8ad44cce3
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9755640.exeFilesize
380KB
MD589ac03d80a2ce64c2ad35a0ce1e828e2
SHA1fedf431213526cbea6ef14885e33fee076dff61c
SHA2566a1f8797ebdd4e037b26689bd9772c6f6df69b8fec94c99a934c01102ed43b63
SHA5122ed344bc47de944c93ef8b51547aa6208a8801a7a789e884570ba99b173c2559e395a9cd33d0b85e3e71525f9ef155d7dd5d0a8cb8f73f899afc11d8ad44cce3
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9135775.exeFilesize
338KB
MD50e77968efc635e83f22bd85af978fbc0
SHA152b3911bd87bb333f9841512c3bf89e191c1944b
SHA2565b3a5f44f56a486d45586fd178dc1327d80c690b425ec00ca9076ac29633cca7
SHA512c989ec2e655ddd0636d28dcc172e75d0f0e90d9796177d10da788956f9bd92bb622815c5dcc2871c8eb88955274ec0f37181fc2dc42440fe984d1525b38033ab
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9135775.exeFilesize
338KB
MD50e77968efc635e83f22bd85af978fbc0
SHA152b3911bd87bb333f9841512c3bf89e191c1944b
SHA2565b3a5f44f56a486d45586fd178dc1327d80c690b425ec00ca9076ac29633cca7
SHA512c989ec2e655ddd0636d28dcc172e75d0f0e90d9796177d10da788956f9bd92bb622815c5dcc2871c8eb88955274ec0f37181fc2dc42440fe984d1525b38033ab
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3108261.exeFilesize
217KB
MD5c214238c8b28d71d4606bebe3a0362b4
SHA1fe257d19cb1183dbb718c1e353f63ba070575558
SHA256f773fb070888c67a1d359d2d53d624ddd8c9681601c25daad5c050c478f4d887
SHA51278b30b4dcf0bced4e0255e61683e21ca27465d9650380e3823c669e0688e88a29a9966aa1894ed690a742237a83d14a18b73194fefcab8eadf7e2b1927e51fa8
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q3108261.exeFilesize
217KB
MD5c214238c8b28d71d4606bebe3a0362b4
SHA1fe257d19cb1183dbb718c1e353f63ba070575558
SHA256f773fb070888c67a1d359d2d53d624ddd8c9681601c25daad5c050c478f4d887
SHA51278b30b4dcf0bced4e0255e61683e21ca27465d9650380e3823c669e0688e88a29a9966aa1894ed690a742237a83d14a18b73194fefcab8eadf7e2b1927e51fa8
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2337546.exeFilesize
346KB
MD5b8981af35edc0293376b6c8cc927e12d
SHA173192b3e9fad87e5d7292fbb55795c160d37f292
SHA25629dfb97f4164e6e98d842f95802f7460503a799a8a837f19c2e8e9bd592ea7c3
SHA512db86ecf1971ad4b4036736278b5287d79894139c539321342a967c5667b658a6ad0d7b5cec2bf0650e16b9c6483326f4293afbe21f7603fea3c0105e97c7699c
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r2337546.exeFilesize
346KB
MD5b8981af35edc0293376b6c8cc927e12d
SHA173192b3e9fad87e5d7292fbb55795c160d37f292
SHA25629dfb97f4164e6e98d842f95802f7460503a799a8a837f19c2e8e9bd592ea7c3
SHA512db86ecf1971ad4b4036736278b5287d79894139c539321342a967c5667b658a6ad0d7b5cec2bf0650e16b9c6483326f4293afbe21f7603fea3c0105e97c7699c
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exeFilesize
219KB
MD5a427281ec99595c2a977a70e0009a30c
SHA1c937c5d14127921f068a081bb3e8f450c9966852
SHA25640ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA5122a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explonde.exeFilesize
219KB
MD5c256a814d3f9d02d73029580dfe882b3
SHA1e11e9ea937183139753f3b0d5e71c8301d000896
SHA25653f129d7c6b008406a6214c261e45c06dfc1cd7dc36639018e37b07416bf5f7c
SHA5121f263232f9bcf8f936239cd0866594c5d14c4b6cca8337c1a20dabfedf588fbc5839deba7f5fc8243f1a6fa64f87a2133afde6ce7b6eb4293b4807f66e05df3a
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dllFilesize
89KB
MD52ac6d3fcf6913b1a1ac100407e97fccb
SHA1809f7d4ed348951b79745074487956255d1d0a9a
SHA25630f0f0631054f194553a9b8700f2db747cb167490201a43c0767644d77870dbe
SHA51279ebf87dccce1a0b7f892473dfb1c0bff5908840e80bbda44235a7a568993a76b661b81db6597798ec6e978dc441dd7108583367ffdc57224e40d0bd0efe93b6
-
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dllFilesize
273B
MD50c459e65bcc6d38574f0c0d63a87088a
SHA141e53d5f2b3e7ca859b842a1c7b677e0847e6d65
SHA256871c61d5f7051d6ddcf787e92e92d9c7e36747e64ea17b8cffccac549196abc4
SHA512be1ca1fa525dfea57bc14ba41d25fb904c8e4c1d5cb4a5981d3173143620fb8e08277c0dfc2287b792e365871cc6805034377060a84cfef81969cd3d3ba8f90d
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dllFilesize
89KB
MD5ec41f740797d2253dc1902e71941bbdb
SHA1407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA25647425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33
-
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dllFilesize
273B
MD56d5040418450624fef735b49ec6bffe9
SHA15fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0
-
memory/4204-40-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4204-41-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4204-42-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4204-44-0x0000000000400000-0x0000000000428000-memory.dmpFilesize
160KB
-
memory/4312-53-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/4312-35-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4312-36-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/4312-51-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/4888-87-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/4888-90-0x0000000005240000-0x0000000005250000-memory.dmpFilesize
64KB
-
memory/4888-59-0x000000000ACF0000-0x000000000B308000-memory.dmpFilesize
6.1MB
-
memory/4888-50-0x0000000002D00000-0x0000000002D06000-memory.dmpFilesize
24KB
-
memory/4888-49-0x0000000074540000-0x0000000074CF0000-memory.dmpFilesize
7.7MB
-
memory/4888-48-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4888-60-0x000000000A830000-0x000000000A93A000-memory.dmpFilesize
1.0MB
-
memory/4888-64-0x000000000A940000-0x000000000A98C000-memory.dmpFilesize
304KB
-
memory/4888-61-0x000000000A760000-0x000000000A772000-memory.dmpFilesize
72KB
-
memory/4888-62-0x0000000005240000-0x0000000005250000-memory.dmpFilesize
64KB
-
memory/4888-63-0x000000000A7C0000-0x000000000A7FC000-memory.dmpFilesize
240KB