Analysis Overview
SHA256
0e7e5c6eec2718102c051da7d403442664bb8cd9c6f3f2e231c4dae69be2fb79
Threat Level: Known bad
The file aa96cbc9b53138883480cee00d2e6e41.exe was found to be: Known bad.
Malicious Activity Summary
SmokeLoader
RedLine payload
Smokeloader family
RedLine
Modifies Windows Firewall
Downloads MZ/PE file
Reads user/profile data of web browsers
Executes dropped EXE
Deletes itself
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious use of FindShellTrayWindow
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-11 03:01
Signatures
Smokeloader family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-11 03:01
Reported
2023-12-11 03:04
Platform
win7-20231020-en
Max time kernel
115s
Max time network
115s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA15.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF79.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AA15.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1360 wrote to memory of 2352 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA15.exe |
| PID 1360 wrote to memory of 2352 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA15.exe |
| PID 1360 wrote to memory of 2352 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA15.exe |
| PID 1360 wrote to memory of 2352 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AA15.exe |
| PID 1360 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF79.exe |
| PID 1360 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF79.exe |
| PID 1360 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF79.exe |
| PID 1360 wrote to memory of 2872 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BF79.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe
"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"
C:\Users\Admin\AppData\Local\Temp\AA15.exe
C:\Users\Admin\AppData\Local\Temp\AA15.exe
C:\Users\Admin\AppData\Local\Temp\BF79.exe
C:\Users\Admin\AppData\Local\Temp\BF79.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\C3ED.exe
C:\Users\Admin\AppData\Local\Temp\C3ED.exe
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\is-CT0UL.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-CT0UL.tmp\tuc3.tmp" /SL5="$201AC,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20231211030335.log C:\Windows\Logs\CBS\CbsPersist_20231211030335.cab
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Users\Admin\AppData\Local\Temp\A12.exe
C:\Users\Admin\AppData\Local\Temp\A12.exe
C:\Users\Admin\AppData\Local\Temp\145F.exe
C:\Users\Admin\AppData\Local\Temp\145F.exe
Network
| Country | Destination | Domain | Proto |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| RU | 77.105.132.87:6731 | tcp | |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| MD | 176.123.7.190:32927 | tcp |
Files
memory/2052-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/2052-2-0x0000000000400000-0x000000000040B000-memory.dmp
memory/1360-1-0x0000000002690000-0x00000000026A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AA15.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
memory/2352-12-0x0000000000080000-0x00000000000BC000-memory.dmp
memory/2352-17-0x0000000074DC0000-0x00000000754AE000-memory.dmp
memory/2352-18-0x0000000004C70000-0x0000000004CB0000-memory.dmp
memory/2352-21-0x0000000074DC0000-0x00000000754AE000-memory.dmp
memory/2352-22-0x0000000004C70000-0x0000000004CB0000-memory.dmp
memory/2352-24-0x0000000074DC0000-0x00000000754AE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BF79.exe
| MD5 | a2d34f487492505c3a4d29c665d580fd |
| SHA1 | 0b43d59b62214ebb62d440ecf1a297524275c1cd |
| SHA256 | e09db09c99bee676a252395a612bbc74f6fe942fcdb7c5957ce3d1c05ff8b8d5 |
| SHA512 | 822caee7b53ac7197db8fd61bab57823d25546970007ca7e96efccabe7610cf387d2f50a3247ff270c2f32a28640c7137816f1cbc935ee5c1b9a356b01595b2b |
C:\Users\Admin\AppData\Local\Temp\BF79.exe
| MD5 | 5ddd1b67d1e3b777b6a4de9352677a2b |
| SHA1 | 83fa1b212a3576cd469322c3faa47ed318536ace |
| SHA256 | 4981b761dd9c2a8545b8fd0b736a2ea7e0fff01d0f7a907c73d1224ee3209770 |
| SHA512 | 3fd81d6279245d3b5af0319a8126c2dec54d61231f60a4aa811cced1986d98cc4c27c172b52e1d4d870bb482a648b834b56bde1e31c89ea270627b0953b33cb9 |
memory/2872-30-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2872-31-0x00000000009A0000-0x0000000001E56000-memory.dmp
\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 473e906163097f650671b6b9ecea2f09 |
| SHA1 | b2b6b07126e9f79fef521c068e1dd95df2e02b27 |
| SHA256 | a218d050eebbd313db0310e7bac3d0fa9af0ada11a815f743766a68fdb4e4d71 |
| SHA512 | bc8cd3a66578232e6601f7700379e2d6be028ccf3bbfb89971770d2a81765a56247dbc5d960729b63f91fb0af93ffd5e47f08afa372250cc436351870553cbfd |
C:\Users\Admin\AppData\Local\Temp\C3ED.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 6c11a7550d0436faddf82c93f0e617b3 |
| SHA1 | fc782881299704295b9afab5573e3a352f9813af |
| SHA256 | 3a2deb3cd3f4a20400bce0d996b819667be9f03b5d4c63478b4a91a6cf3923e6 |
| SHA512 | 22a80ce0e452aed64e6fb1d2c81647f97ed3c0f2ba5758573682b8c34b04eaa91f388a2d815f9152d2eec810dda3c58e4d9d4e00b1ef07af0c2b30f239d953cb |
memory/1616-41-0x0000000000F70000-0x0000000000FAC000-memory.dmp
memory/1616-44-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/1616-47-0x0000000007330000-0x0000000007370000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 624211215e9392abb34db7bfcde96f6f |
| SHA1 | a9d1719ba7f5250083874f00e96ebfa82cf96028 |
| SHA256 | c1b4419d8908483170bdfc67953f3a8f449e9ea1f3488b9f46edecf62ab6bc74 |
| SHA512 | 1fd0186b23878faa5ae9b00ed149ec716428329d193f25f5f661b0263245809921e18b89e379059dfff08e24838221aa2397a401c276251d2a66c2e54d8d6595 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | c2c962f7e5ca61b9bd680c05b25cbeb3 |
| SHA1 | eada62e621a42bc005c6f155c88906a5f9ae4712 |
| SHA256 | bc06fe6a092b264ce4f3594e41ddee768c8ed56cc106f4845332968d0fbc5af0 |
| SHA512 | 00aeb914ff7f606a3a75ab7830d938763fd7510928d54159a16e08b7c3c4dcf9bdcde6f506fbecb5325f8987805410957e55d8ed6610f3563fb4a5f4e3c9ccef |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | cf4f79f9a0a5996e6e446b25015e250c |
| SHA1 | ce1e4bc9fcaba89af7257e5aba6faf9efae4bb5f |
| SHA256 | 18f75ce80aeb4ba1b93d1dca323c3328cf71967bc2f043073efcd12fa6920c38 |
| SHA512 | 3241828e23c2620f82ee263b17c144393370bfc23290f540fabb049c75fc3dca266d8598f7171e6a4fe4b435b45061a3d3450e83705ade6221091741c8807900 |
\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | d9ff16d3e10501cdbd582d1f573e0bc9 |
| SHA1 | e71534b80a2241847d0731dd4b18614d52292b36 |
| SHA256 | e09be87cd148dcbed444e2bd03d77ea021e8f1cc0525ee90b28c46b41d239410 |
| SHA512 | 98ec69fad072452d3d45327ab8beac0e55d8b27255453160a6f5b51faaed13b63b74bb269417fb231e2470a0882106b8067d56b84ccf59fadadc2321f7c0733e |
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 9995f4332a1c59e4139dcd8d77e3b237 |
| SHA1 | 9098906576be6a41c303d58755f92f5b68ac95df |
| SHA256 | debdb3adc5d6cf6f8527d9d98bae7b56a260ea46d4462dbde4e68fdf6d0b67ba |
| SHA512 | 91b1dcc1411c5cb828e0e02e815ab627f2d98fb8a5293e3e3303f0c44e8400278aef50b42e4c2a2b0ea429ad0eecb979a8da87ccbb1ad620882c93af7da87f95 |
\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 54066f6e6c0505324a89aef8b072085c |
| SHA1 | 24199ba81d4f092183841c0ff71fb7efde143156 |
| SHA256 | 58c9b874eb77f23a82b263d5953766907e192316031ab22ce453661e8e185371 |
| SHA512 | 085765ce3f7f1c2db5fb5684b8adc501750dbe0d277bf5e682e8d2cd594dd85b9736c9bfe187b2ed8ae67f05688d04b52926484385a5fc3499803bd0e65825d3 |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | 22607ed59c2ba0a1fc56a48ebb927b81 |
| SHA1 | a0fb06a72a740b26dc36889ea0fdf01a1cdb37a4 |
| SHA256 | 79e3dfa719e18dc57d3855361df22028b065b004b59ee15db64a0351a046ff2d |
| SHA512 | cb4b15715307d3d7a796b579a2f869a313a7a95d21643be023759b30dd499915860ca03104870ed9bb1bbcaa80e30275750da3f30fded57e440bcf630b50c619 |
memory/1816-72-0x0000000000240000-0x0000000000241000-memory.dmp
memory/3000-73-0x00000000029A0000-0x0000000002D98000-memory.dmp
\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | d9dd5d8464c17cecf065ec6f2770b811 |
| SHA1 | 0de8290dde3fa4957e8a56a7b8277e30915348d3 |
| SHA256 | d16607fb2f7156ea472225df7eb7098eb40857e222e028cddd6d796136e6855f |
| SHA512 | 7e04ae8324fd94b77a2140e0e8efcbd29375a54d67dfde1afbc8f1c2a6f347df7e19f9dd611109fac6d76f365cefbcd8785258654cab717bb01dd23b7ab674d1 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | a00642e3f356e558c02e147e63d2d5cf |
| SHA1 | 5f7b61f2fbae3879e531f6b6b7142cc3a42bc62c |
| SHA256 | f2b49295b14dc2739ce49da37f9da1f9bdac10824a0aa44d021e5562395dbe77 |
| SHA512 | 38b7c3222f703cdc8a8ea8e2311178c3d30c081fd4edfeab6ea84df002f875510c36860e76a42c74c6f4635b3e742ab4ffda0644a85c0e0e09fb0f0cdb0628e0 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | ef80e545bda07a065e4946c8299a8bfa |
| SHA1 | 8278c464d1d01d321db1b0d72123a95ce915a3fd |
| SHA256 | c78ed27985deafd108065d14eb5b5ab256f4ed1bee240b95ae546530c167ccc3 |
| SHA512 | 8b2d57a4f7818940d34f8f43a099ef7ae7e4e0ae706bce2319acd68578a8c0a7f97e7dfcf3e306b238ab165979d3af33f0bcccf683cd25f81e84ebf2fb18bb82 |
memory/2072-79-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 11e046ad6d93285b26d8caecb0d42b3c |
| SHA1 | 185610b49bf9497af8d51702a7f99acc656d58a3 |
| SHA256 | 4915d336378c09600d8323ef2fdf088666e72ac9af13d8bf51bdec28c2aafa0b |
| SHA512 | 6570354a47d2fcdcaeea99b080da6f8602bf661040f8b60c276a42a3e417b6eaded8e5e61f6ebf8df5ea1007132e24b80cbfd0ba196eaba39a56da9c56d6264d |
memory/2872-90-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/3000-89-0x0000000002DA0000-0x000000000368B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-CT0UL.tmp\tuc3.tmp
| MD5 | 4ca7804861f34293953273ba6f678030 |
| SHA1 | 4038f38cc42e89af57aa990907b59e8b395737c1 |
| SHA256 | 2314e965bb8073acbacc1372c484e95b73b35d053f289596207d49f6d521cd39 |
| SHA512 | 7373e2374b3382a9165d2348a6eae9955f5c3bc47ccac5ddfa708135354d2601ccb80ba9ce49f49c3074af2ce7ca411646eb1d1efdb0dde4ebb6583307a9d20c |
C:\Users\Admin\AppData\Local\Temp\is-CT0UL.tmp\tuc3.tmp
| MD5 | b8aa886f0630371e40fde27c7c149b38 |
| SHA1 | 0952896cccd46dd59f11fef05d5404ba0aeb93d6 |
| SHA256 | 8fa1cf8dad4392e595e0322c03648fe654a263d10af6915e4f7a1a15b2097321 |
| SHA512 | 07cd80fc66f1f076cc6cac5803c0cd87ed2874ff579691623bcdac7fad15e7ad0dbe23392d1ce0640b314daa4080fbc861d2688dbd2c0fe7277b55ca0551facc |
memory/3000-85-0x00000000029A0000-0x0000000002D98000-memory.dmp
\??\c:\users\admin\appdata\local\temp\is-ct0ul.tmp\tuc3.tmp
| MD5 | 67aa0877ca4318cd5355ba3ee4abc9f2 |
| SHA1 | 6da238760f3257fe72a486470be3169801e79dd8 |
| SHA256 | a7df75b4bfa70628297596e2c87c6e76cebae915a291372df4c27211f14ccef2 |
| SHA512 | 0f04a13ca0a958c919337e04aa16557e58cea828cf59d12ee9c339dbb9abfd3c0dbf7cff37bb38c9f1c9d3fb017a3fd04aab79ab7b25ddb6930502da8a4563bc |
memory/3000-109-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/968-110-0x00000000002C0000-0x00000000002C1000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-682D5.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-682D5.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
\Users\Admin\AppData\Local\Temp\is-682D5.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 4aa67e3c9db282c169fa7b73a38fb38f |
| SHA1 | 506ecc21dfc1febc69f151610f059aac64a4c940 |
| SHA256 | 64cd120ef5bde2fab8cc4d1f7fab7ad62cf1e26cb51c0da6451b2caef706d9ea |
| SHA512 | 7d513ed005bcfc634de3a730cbde9c9a4772df311cdcb864e80ffcfc7c5a92ca63cfdc5aa647e3689f8b82e0fc5314f8be062846417b8e338719119b805d0e5a |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ea746cf77373e4a9e0c2cfb3fb9f9ded |
| SHA1 | d1c03922f998f23c47cab26defe4d030f7fb2ee5 |
| SHA256 | f1cf81487a6f8f8469a1a0ff8640b5a51ad2687c280b9c699b88f552942f7a88 |
| SHA512 | 01264a4fc0090c0c295fecf1be3063da5223932cf0f1f8fef4ac4855afb16d993c5294c60f2208d4629edc201c262ad248f971315d8d92961523ac3617fc0ec2 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7e5d197cffafa54582741553472ff5b5 |
| SHA1 | 5860466ced20fa0f5d06dba7e7a9eaf71e188e6d |
| SHA256 | 3b96a7128847158aa26309f5fff742483bd584e9a9be32d63cc9d589f5f2474d |
| SHA512 | 549639761a5f6ba73733f9b741d1f09ac61339c3fa11bda4f08956e0205b6dff1cb278392497bbdbbe71d903b2e4d886b702622777bce66123aa8f5ceb1ccf12 |
memory/3000-124-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/3000-125-0x0000000002DA0000-0x000000000368B000-memory.dmp
memory/3000-126-0x00000000029A0000-0x0000000002D98000-memory.dmp
\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | fd3871aa776be4b77fcc9437f7c34988 |
| SHA1 | a05c594014261776991cadbfe85625266d0bc736 |
| SHA256 | ddf1ca3bdce5292951c2226539137aeaa2ff11e23a4a433c70c0a303bb4bb01f |
| SHA512 | c205f2a8d0b6af72f59ca091287af2c9f914af327e85cca7db39bd3076150420d7fb9000bd4ff663567e25c09325f2d19cec6536e7669295ea32b7700e47e764 |
memory/2388-130-0x00000000002D0000-0x00000000003D0000-memory.dmp
memory/1616-135-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2136-136-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2388-134-0x00000000001B0000-0x00000000001B9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | aada6a7d26525c1420a2570d4232b33d |
| SHA1 | fe8a416a5deaca6059430d4d70835c39e6b8af19 |
| SHA256 | 603b438c791de59e45c504ce9520e46b56a0f408baedba74040479b4b6f1f6a4 |
| SHA512 | 9ecb3623aba4a4f46a1c848809d66901e38f2df1648b64d5c9cda5e0cc8676406054adad1d3fd54a3c019134220434a6ba6c6782dd0c679de61a8ba0ea7df569 |
memory/2136-132-0x0000000000400000-0x0000000000409000-memory.dmp
memory/2136-129-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | 0f2d8e83402b24bb428f9f06120eea66 |
| SHA1 | 0a217fcaea5299640ed0ed3da6484e9c7d1a0eab |
| SHA256 | 0219854891ddb759613b777a89c258554d37083dcd7fbd754a8ec4d29ca69113 |
| SHA512 | 880329f313941193bc0b0ee5c894a58039f8bd815ce9be473ed7c86b26eb441337f7b28d60c210b3f8517997e2c9a5510ab1d9b73613d3dc4657cd4226f9f46c |
memory/1096-137-0x0000000002680000-0x0000000002A78000-memory.dmp
memory/1616-138-0x0000000007330000-0x0000000007370000-memory.dmp
memory/1816-140-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1096-141-0x0000000002680000-0x0000000002A78000-memory.dmp
memory/1816-139-0x0000000000400000-0x0000000000965000-memory.dmp
memory/1096-143-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/2072-142-0x0000000000400000-0x0000000000414000-memory.dmp
\Windows\rss\csrss.exe
| MD5 | 5b5d608c5c8bf40ffde439859bde74db |
| SHA1 | a9aec423e8a1dd1af1fe4625971fa785da9b827c |
| SHA256 | 7d140eee1d831c0ac4b3dfc8fce8352328fea2cce3aa9962d58cdf9c5722c36c |
| SHA512 | 6ea6c18890fd30c2169b5a7f49541ecdbd6fb93ca7e28ba048525941a4f54bff7e12d3e174e4a87aa4c90056b2def5e49aada79bee3e54c47988650be700d8ed |
\Windows\rss\csrss.exe
| MD5 | 9f75047bbea361784c278f5ab697045b |
| SHA1 | ee1f2c7e0fdfe8d00c06c65c7e8b54f8f660403b |
| SHA256 | 0e6a22012ac286e0690ada41e1688233f59a1a2c638f4857f8331576b96dc91b |
| SHA512 | 8bd68492e6b8bf0c08ea25562fa4f0e096984bf6b8e34998e5a09e8b3e7a8870b8208afc7394841fe392a1e3176086c7023a70cedb8d5525e2d9b969b35e9654 |
C:\Windows\rss\csrss.exe
| MD5 | 6e8570f150d99e5b4aa1a2c150c033f0 |
| SHA1 | 9bda8a95b02e5ef3a4bf699867b2bb389f18fed1 |
| SHA256 | 44c4882f39efb4ccbc404e8e25324882845870e9cecc74de0377d4b760967ac5 |
| SHA512 | 7be43b871a79bd88563be9dbebd082d7f81480bd1ba352e2a57651f03bdbcdbf2b38c4e07dc7f3b1a1f98653f2b8b09ac519f55e687219e8cd368bfd98ed7548 |
memory/1360-153-0x0000000002990000-0x00000000029A6000-memory.dmp
memory/2136-154-0x0000000000400000-0x0000000000409000-memory.dmp
memory/1096-152-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1528-170-0x000000013FC60000-0x0000000140201000-memory.dmp
memory/968-171-0x0000000000400000-0x00000000004BD000-memory.dmp
memory/2984-172-0x00000000025C0000-0x00000000029B8000-memory.dmp
memory/2984-173-0x00000000025C0000-0x00000000029B8000-memory.dmp
memory/2984-174-0x00000000029C0000-0x00000000032AB000-memory.dmp
memory/2984-176-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | db2eb4a282c1afd9d2a0675c692b7b8a |
| SHA1 | d91aa006ad2ffd3ec726c3e559c78fafe36bd743 |
| SHA256 | 51b2945f6a147f72bb2257d6d386d0e29665ac79558f57451f7e5499a24d48f6 |
| SHA512 | 0f78d7b9008c5f4853319e1df297b2b16011d516e49df604d05c749bef469833d059d7b3255fe1784b68627fa369630d28cf71cb575588c7c540ef5807801449 |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | 2a0c412236ca61d33da9832d87cf49db |
| SHA1 | 120732f6ca1a6f9648c7a065b3ba2e5be600f096 |
| SHA256 | 2cbc78f333e0bcb5d731f78faa3ccb25ec2d3ea153b2817f54564066823a20cb |
| SHA512 | 20ce1581c59625e8376735c8eae2bfdaf951b8c8582614d3474829b9ddcc1c7f31f78e488937fa6eaa1d80141727b5a312122ceb06cb1ddc18b0dda96f004c56 |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | c9ff7263f937c6d9c3a84d9bf6645cba |
| SHA1 | dd13bc685ab187e9431527f6a0bbeed13190c037 |
| SHA256 | be4ff1ee1b61cee86931c055a2632fd984b58b1282a915c8a7ff569bc81163da |
| SHA512 | 495cde4e76dd8d27e8ab662082296a3ac53ab9a7d20ec3b9e4ea3b3a4dc04626cbdc7894f304c875827eae19c3a4b1b00c313947d7b525cb1db87452a6ff30ef |
memory/472-186-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | b54fc8e1c14d9c052047bc3ee04d8909 |
| SHA1 | ecbe4067ba05610f0da436c5dace4c33b2a97af8 |
| SHA256 | 06171a75c4aab21669efa1aecf99719991bf7f2579bbfcfc253c0eb55c7a4a57 |
| SHA512 | 9fc8f8aa47ec57dbcc32ba31795abf073b40ca007804ee497a8582826fc5c232f912edb231d42f13696a433f2bd7868e90bcf6ba886b90e5aabd642a066ab4de |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | d9e8880361edc3df8810d9b53ee95a00 |
| SHA1 | 291c87d4f0c7b3bb56a9f42ba071c33b68203e06 |
| SHA256 | 00963ea21e1c6dfe97199081c723a477c1942d1b79f0bbaa5be088b043d839bb |
| SHA512 | b50dadd4a228a39be3af2de9e840c545fe2b1f4260d6c65852f8c26eb0c1dae549d9fb3e7fc04017bff73501df5835b2557f6e4afd767fa7bffa1b57ae4f88a5 |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | a56b01e29e331eb1b9e70922a50c6560 |
| SHA1 | 51f2ea56da89d4f338327e7958a9912df9950cf2 |
| SHA256 | 5cd514e1f1a09877e4f9481a2c9e50e31ab82f93240c22164beaaeee4003a070 |
| SHA512 | 24b1396073c205b4f3ae550f994f7dd591f63e132d7bb399a64614f48b713e541239c86dd302cc91470f542e646aacd97ca7ca01fb6a6b6cfbf2d3588f3764f7 |
memory/472-196-0x0000000140000000-0x00000001405E8000-memory.dmp
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 891fdaebca148e9d1600c653217b3b45 |
| SHA1 | 684f95754e46d259e19a155111391b54b59b9ed2 |
| SHA256 | 6f8b75b83bce738e519073c25cb746bbe0ce3cf021886ab527030f514ea4a6aa |
| SHA512 | bb7405833af11326e011ac91a9233bfb52707428c15ed541c3896fa18d43f49697cd0855feddc48b9fa96e5f5cd7467c01821f1b354368e0f4e28cdff95f5db0 |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 09f60c9adf9c5d4bde3753f745c42dfb |
| SHA1 | 0cd7ab31012daafab607967288089433dff2e6f5 |
| SHA256 | 05acad57c5be3b51d1854fb7dfa88aed42a0e6951b8e39c56050208aa627c0f0 |
| SHA512 | f4b47de156eabce8f995fb070d632a4644a1d0268b696a3512a3add95e43cadae3bddcf939c3af27dc4e14cb313ba1ab0d1a940be38407e146dc0a49ac3a1e41 |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | c3db0525eb6c8b7378be1a98cb044aaa |
| SHA1 | 9f6404006f4f93f52419bad19b46f13b29e64376 |
| SHA256 | 3b6d5126c6071d57cfa640333634818c3cce4dfafa815f61b4fc9717e0fa52a1 |
| SHA512 | 9ecaeef7c06eb34cb053fcbf3ea522a09825cdf47bab87a78f81b552b0e0c7bddbbd96140fae8860e513ac1d6d78cb07f29ee6526336557b0472e8aef018a26d |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 7c4759c93de3d9ccdf58a79657968be2 |
| SHA1 | 924e2aa19a265ce7f1f81ca5df4863b0a5069a3e |
| SHA256 | 13fca81976161ee5e53b48388b08b6259cd1949e1492a2ba4be4589603f9f6d1 |
| SHA512 | e5fd4248b23ca62288ba4499465d90d0c98f757e042d4bfd7acbee453e47f621ca5ebb365f59e989eda2b5fa0af6d4e98ff7a824b75ff1c7b22a862bf419c92c |
\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | 5208d15c5aa45a7a5b231f360435aa58 |
| SHA1 | f82fbbcf0e6663c2172a3868ce11612926260c86 |
| SHA256 | f3d74b9a1c67479dd8ccf90e66c129861c5f64cffea3542742d52e3ff750f895 |
| SHA512 | d07f60c8b76851ef0a90fa590d90b1610e62004aa5ec3ce39e4c19d7b3f152e8e2749e1e0fa6e98b6876dbc0662c18eb3dcd55548397b26d9c5c42a9fc0d406a |
C:\Users\Admin\AppData\Local\Temp\A12.exe
| MD5 | 8d3ec9388e8cd902cdcff2ed5842f2e1 |
| SHA1 | 08f9ec1d7b668ad8bcef376afcb6b022d7c09058 |
| SHA256 | 7d82d21a8c54089b0ed1096ae15e8dac29525ba17f733f6d36a7511af241bc68 |
| SHA512 | ded0172d693b673182a024af26c649f075d695a9b6b9ed8897a8b2893305f76b4c0176205d77b7025b6ad97c0d7c7a5ae7656af260ab846a816a449c67255de8 |
memory/2252-220-0x0000000074D90000-0x000000007547E000-memory.dmp
memory/2252-219-0x00000000002D0000-0x0000000000882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\A12.exe
| MD5 | 11469e8a1f981fead8bca5185f8614fc |
| SHA1 | 9b6a564c4f7beaf0a6c6df6261b0e60b54ad44cf |
| SHA256 | 27f1dc9f3574d0d2f82b3186bf22edf1a8b0085825fa1124065456806299ad35 |
| SHA512 | 7226b8539ea230a289ac618e1a1aec1ef33218377d7dd156d6ad095171aa413160f663e7ff061eba512751db8c528015b84312282b2353509106ebabb00882ce |
memory/2252-221-0x00000000052C0000-0x0000000005300000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\CabC33.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 025b48ee6f01ac7ad5a8dcb1e1f7c962 |
| SHA1 | eff7dcd06b47ee589ca1e6cc41c364d5c60076ec |
| SHA256 | 43d72bffa20b1073deb382a82efc6c6788049aa7713238b661cb3bf2aaea2718 |
| SHA512 | b959364d9d0949f9653651f2c50499a11e54529e899deb05ab9558e9de5c953d8ae7f238a5df9d0800ca02ba30fe7dae38a253c9700ac7347725d0209d0cec66 |
C:\Users\Admin\AppData\Local\Temp\TarDA1.tmp
| MD5 | 9f6f90901318c5c99b1a879bc731466c |
| SHA1 | e362e43fe1a75091582992898f44b3a10fd628a9 |
| SHA256 | c70d0698adac8a873bb318f294ab9a83858a19a3bad8315b083062e12f6e7727 |
| SHA512 | 9c1b09eca74537ef06fe54f7636e39f1f00de2425d1e09960d0d4bb35726737afb729e4502b406929e795121ab5bd51e9fe0792858bf8ca3e3818fbcb393ec55 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-11 03:01
Reported
2023-12-11 03:04
Platform
win10v2004-20231127-en
Max time kernel
102s
Max time network
107s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SmokeLoader
Downloads MZ/PE file
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C35B.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CA5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A205.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3292 wrote to memory of 3376 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C35B.exe |
| PID 3292 wrote to memory of 3376 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C35B.exe |
| PID 3292 wrote to memory of 3376 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C35B.exe |
| PID 3292 wrote to memory of 3832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CA5.exe |
| PID 3292 wrote to memory of 3832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CA5.exe |
| PID 3292 wrote to memory of 3832 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9CA5.exe |
| PID 3292 wrote to memory of 3124 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A205.exe |
| PID 3292 wrote to memory of 3124 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A205.exe |
| PID 3292 wrote to memory of 3124 | N/A | N/A | C:\Users\Admin\AppData\Local\Temp\A205.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe
"C:\Users\Admin\AppData\Local\Temp\aa96cbc9b53138883480cee00d2e6e41.exe"
C:\Users\Admin\AppData\Local\Temp\C35B.exe
C:\Users\Admin\AppData\Local\Temp\C35B.exe
C:\Users\Admin\AppData\Local\Temp\9CA5.exe
C:\Users\Admin\AppData\Local\Temp\9CA5.exe
C:\Users\Admin\AppData\Local\Temp\A205.exe
C:\Users\Admin\AppData\Local\Temp\A205.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
"C:\Users\Admin\AppData\Local\Temp\toolspub2.exe"
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
"C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\Broom.exe
C:\Users\Admin\AppData\Local\Temp\latestX.exe
"C:\Users\Admin\AppData\Local\Temp\latestX.exe"
C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp
"C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp" /SL5="$801C4,8423542,54272,C:\Users\Admin\AppData\Local\Temp\tuc3.exe"
C:\Users\Admin\AppData\Local\Temp\C899.exe
C:\Users\Admin\AppData\Local\Temp\C899.exe
C:\Users\Admin\AppData\Local\Temp\D79D.exe
C:\Users\Admin\AppData\Local\Temp\D79D.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| RU | 81.19.131.34:80 | 81.19.131.34 | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.131.19.81.in-addr.arpa | udp |
| RU | 185.172.128.19:80 | 185.172.128.19 | tcp |
| US | 8.8.8.8:53 | 19.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/4516-0-0x0000000000400000-0x000000000040B000-memory.dmp
memory/3292-1-0x0000000002390000-0x00000000023A6000-memory.dmp
memory/4516-3-0x0000000000400000-0x000000000040B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C35B.exe
| MD5 | f88edad62a7789c2c5d8047133da5fa7 |
| SHA1 | 41b1f056cdda764a1c7c402c6fa4f8ab2f3ce5f9 |
| SHA256 | eb2b1ce5574096b91eb9e0482117d2518ab188c0747a209dc77e88d30bb970dc |
| SHA512 | e2d5b0ace5dfd3bd2321b2a42b7e7725071ca440389dc5ef12720a34727ae84c2907cd7befeae5d53568d9deaee8443f4cbda44b598cfc9b6316d9389be09a60 |
C:\Users\Admin\AppData\Local\Temp\9CA5.exe
| MD5 | d0c59443e41e1160209139841fa39c9f |
| SHA1 | 76be0077ce9dc5ef6756b8c202a6d5d94c759535 |
| SHA256 | de3b8eeffa2d3ce30a578af1de877afd5831e428ca7c0767933d6e6af9ac815c |
| SHA512 | d954cd9752d04a8d182377505e5c9a9f942425daf99301e3a136d1dca7565d8b181485d08852194c1b9152752b75824ce55c052d3697bf0c54e48dfb56332f28 |
C:\Users\Admin\AppData\Local\Temp\A205.exe
| MD5 | 91d23595c11c7ee4424b6267aabf3600 |
| SHA1 | ef161bb8e90cebdf81f4e53dfccb50c1f90a9a02 |
| SHA256 | d58937d468f6ca92b12ee903a16a4908de340f64f894cf7f1c594cd15c0c7e47 |
| SHA512 | cb9ed75c14e7b093cabab66c22d412371c639ace31fbe976c71ffec6007bf85b3d7d3e591fe5612e2a035298398d32e1aa7dc0d753f93328ebc2ce8e44fb8d2b |
memory/3832-20-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/3124-21-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/3124-22-0x0000000000200000-0x000000000023C000-memory.dmp
memory/3832-23-0x0000000000780000-0x0000000001C36000-memory.dmp
memory/3124-24-0x0000000007480000-0x0000000007A24000-memory.dmp
memory/3124-25-0x0000000006FB0000-0x0000000007042000-memory.dmp
memory/3124-27-0x0000000007180000-0x0000000007190000-memory.dmp
memory/3124-28-0x0000000007160000-0x000000000716A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe
| MD5 | 77471d919a5e2151fb49f37c315af514 |
| SHA1 | 0687047ed80aa348bdc1657731f21181995b654c |
| SHA256 | 52666594a3e8bd7ac277411e215e1f65a7771f7c1d5b00a9e6ec95fade64f1f1 |
| SHA512 | 6ffb45e79b03bac2820c98503793cd11c13803f49522eea9334c4c6cd05384dda3a60b0a8a8f363abc439ad444f1a8da290f0350fa69b75b6c3c9701177f8844 |
memory/3124-38-0x0000000008050000-0x0000000008668000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\toolspub2.exe
| MD5 | cde750f39f58f1ec80ef41ce2f4f1db9 |
| SHA1 | 942ea40349b0e5af7583fd34f4d913398a9c3b96 |
| SHA256 | 0a434be25f55f27ce0adbdfb08efeac1da01125b3e9194a94669bc7e9c6fe094 |
| SHA512 | c181faacbef70f8a91606943470af50cfd443958c48601051371ff5d9bf66bb9ec794571b05a347a7f5776f06484dc007f535591d2f5e1c57e3c0ee04f3e9580 |
memory/3124-48-0x0000000007240000-0x0000000007252000-memory.dmp
memory/3124-44-0x0000000007A30000-0x0000000007B3A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 7e41a1c24fc929332c543bbfcfe35e1c |
| SHA1 | 24bac343b1f9274d58000338ad6ca952d279e506 |
| SHA256 | a74afcff220ef3684c8f4422fd6448d17b26559d8dcd334c2c94251fc7308bbe |
| SHA512 | 3eaf8594fdfc130d3e77bcce87352f31e2bb9a12f099c05aaf5e1c4ac84fc9385267c859882ae1bb674878630d8517c26448c765e52a4dbb53e77512f71bd611 |
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | 66de89cce68597992b191cdeb3315608 |
| SHA1 | 5cf6e0281c763e3e19dcab2e51f60cf2e228b547 |
| SHA256 | 24911be65b64e351baf52569600c765a87be757ae267331b0ab733f421f0043f |
| SHA512 | 62942fffb007857fcb9c6e7dc6f0ccce71bdb47abe8005866e75198aad9d943aebedb73f050159c573f1019358e44537f94e2a175456833d9915d4b035f834d4 |
memory/3124-59-0x00000000072A0000-0x00000000072DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
| MD5 | ffc2a021479aa849e8a49f2998867f28 |
| SHA1 | 03f251e2ee97c35985c95edaa874dd95b28b63aa |
| SHA256 | 447def5e41f9a1b3e57eae085d1289689d42a138395a54e8af046557e6bca193 |
| SHA512 | 2228279ad8179545b3064bb36ec051e9719c8d03e472b7df67519a7e06702217011a8b4763e4a6e9a09f1333e2bef55f0d95f20b607614e0b4e97f739076d455 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | e304dd37525095c4b9a36b2a56fdafe9 |
| SHA1 | db85880cf6177ae268473f1932f57978b77766d0 |
| SHA256 | fcae9d5dad0ac7fc09e21aac66417762ae3ce830cb7483cd082e49fcc770e419 |
| SHA512 | 39c40b9f9698d83c030ff75a1edef84a1ace004ad3d6c7c8155149c20c8a81520af1ff68748ecd158216117e9bec39e5b08b6a9987e8a2a8a14cada00e81aa7f |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | f20c1b59a919b1e412c1de88d0b9e1ea |
| SHA1 | 069a5af013c041fcb78525ae68c6c8c6da84c789 |
| SHA256 | 4e7a8dd6276583bd9600ae16c8724459897dd13c5bdcb2124f245c803dee0eb7 |
| SHA512 | bf17ac4fe4f6e410613f63c1418e911ee36b202db770e50563008edb62a3324b3036002668df040b8e58cc5aa38b2e87a25d69f2a6b2ab78e5f860a53fdfa15f |
C:\Users\Admin\AppData\Local\Temp\Broom.exe
| MD5 | d7366a2bdcd1d261bee21a0cf2545b9b |
| SHA1 | c192d32c6f19067902a0a60db9b2e104711d6f5e |
| SHA256 | 9c71381a583a3657051a5d09560cf4d36411c6e93e0bc6c487f433cd31223db7 |
| SHA512 | 388798bdad8f550451cbf625765e41ce96605dea1c9f2fef3d6c51d1766d628ec91fb8a17f6c51e66a68a5a8e474d70d3041e842434035c8d582bc9af20fed48 |
C:\Users\Admin\AppData\Local\Temp\tuc3.exe
| MD5 | e51631776ba9e9b5aeead61bea651b76 |
| SHA1 | 47654f815ee15a01bf7bd662b27358d5700316af |
| SHA256 | 9fdae4bae589d7def17c618cbf42ee4c782634338bcbe0b9b013a9c6c965aca2 |
| SHA512 | 4642de47c6ee1a5aa22cce664103c81d9a9dff8fd7b5a1c2cdce118c13fdf9d24385c70c558215c943a8a42ac17e7cd58be22e6806f58f9b6720934732e54019 |
memory/3124-73-0x00000000072F0000-0x000000000733C000-memory.dmp
memory/2988-74-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 421ef4dbe8a259c2d4130b4220d504f5 |
| SHA1 | 84d95e2d6d3a246e9a7b327ff52284e38c316680 |
| SHA256 | d759a771ccadcdcd3cdf18f6345cd0748f6eda876294cf00f974189d815b4ed4 |
| SHA512 | 3e1a3c9f1bafb14fa07f1ebb135d0379ac497e475d79158dfd0b5c02079af9f22cc54d537fa73c6a4a67a6ad5f88ca9159c1873a6e87724bdd3d0e58eae49377 |
C:\Users\Admin\AppData\Local\Temp\latestX.exe
| MD5 | 04cc956dec03d238571c1db53f8d1bcb |
| SHA1 | fd18a6f18cd2717821b9e54f0325d3a8db66a1cf |
| SHA256 | dfc5cb8800d467acf4089ecbae8872d2d6606bb63b71aa77d00b6bdbc5dde420 |
| SHA512 | d7594603e1f08045ae1b05af8da496b3e247f8b3aef617e35dd71d02e3daa295dc51c13a33a4ef0b332e2f657c7cb9fa1ff6f6d78a756eaa37c26c1f961c9eef |
C:\Users\Admin\AppData\Local\Temp\is-EOKF6.tmp\tuc3.tmp
| MD5 | 5525670a9e72d77b368a9aa4b8c814c1 |
| SHA1 | 3fdad952ea00175f3a6e549b5dca4f568e394612 |
| SHA256 | 1180706added2a7899f08f25a9f88ecff5d003ba8964f918d00779565e4a6978 |
| SHA512 | 757249f7e67f82522a8e3079a22c5cf92111626446a32ad3ef876f23885f62d1bb5bf3238d564e23531d062fe18742568dfc00e33b049bb8eef05eb953ef981a |
C:\Users\Admin\AppData\Local\Temp\C899.exe
| MD5 | 10a7d69cbd21cea6d41ae8f3552cbc42 |
| SHA1 | dcd78b08a28b642c442cce26a5d446d787ffd5cc |
| SHA256 | 8d94d29b15cbc3e250472461250fa1fc794a2022159c63efed70ff35d222c750 |
| SHA512 | f5a119a9d7f8a6946ddbc7d695c81ec80fb9c360a3db69f9b43c325ed004c565142034564bdb4505cce80c159b1f8fd0f9d49e5f5610d509bcaf39d3ac319bf1 |
memory/1296-91-0x0000000002930000-0x0000000002931000-memory.dmp
memory/2904-93-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/2904-94-0x0000000000C80000-0x0000000001232000-memory.dmp
memory/3832-95-0x0000000074F30000-0x00000000756E0000-memory.dmp
memory/2904-97-0x0000000005D30000-0x0000000005DCC000-memory.dmp
memory/2904-98-0x0000000005B50000-0x0000000005B60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-K9F98.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |