Malware Analysis Report

2024-11-30 19:10

Sample ID 240313-xxfrxafd33
Target c6a8f3d39b2490346ec60813a441e1d6
SHA256 cee2541ee22b95d488c239a3926b43d750988b246e00740d283d5f892f9939e3
Tags
redline sectoprat build2_mastif agilenet infostealer persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cee2541ee22b95d488c239a3926b43d750988b246e00740d283d5f892f9939e3

Threat Level: Known bad

The file c6a8f3d39b2490346ec60813a441e1d6 was found to be: Known bad.

Malicious Activity Summary

redline sectoprat build2_mastif agilenet infostealer persistence rat trojan

RedLine

SectopRAT

SectopRAT payload

RedLine payload

Checks computer location settings

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-13 19:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-13 19:13

Reported

2024-03-13 19:16

Platform

win7-20240221-en

Max time kernel

149s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2616 set thread context of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 209b55b47a75da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA9D39F1-E16D-11EE-9D31-EA483E0BCDAF} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e0000000002000000000010660000000100002000000050c8d06b597db3dc0ce35951b3b3861deb7b5354a854730e467bbef6dfe3c0c9000000000e8000000002000020000000f10421ce763a4f64a5dbff39c0da1e61aa8ec164a226f1890b4f243c31f45fb220000000eacd8915e1a7c970e0f2ed716b21e9ab42b490330b4cdb0bd322e1c89b2016874000000059232503907612417e4dae642bd069a1882653d43d8af54c7d854c7ee47261e5f854a4b70aa74a363dc61600db5f41edfe36577876003ff926c1f3d2515d1c71 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d94d2d3723739f48802cd6414eea5c7e0000000002000000000010660000000100002000000051cc504469fb6fd006e85298785e8534d20c370f0052d3600a5e726373340e5e000000000e80000000020000200000008f9fe11d567637cf6461029faae38ab2d1785f04a905ef725bb620fc74374e1390000000972a922c7f6cd211f0736b955fc00e723715887a8a0052aaf0f82a47f63451d3a4007e10afca362fcd2d768895140ff95bb99fd73b99bb0f75ee87b99183209d9726db1c475b72a79f99ea20311c204a4519b9dd8c63ed803dbc631590bb04205dbfa43dc53a40a9782ac45c918e85b0059a28e5cce5ab4d940b5ec68e78f412b697cfce23586c2f183c670eb8341ad0400000005e9d2495367292597f52f351dfb99b66b7312c511e64292330f8af213da5f2f23139370b760300b30946d8d7146a51ffdb5704a615a62160d1b65bf4f987a807 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416519122" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1308 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1308 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1308 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1308 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1308 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1308 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1308 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 2952 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2952 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2908 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2908 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2908 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1308 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1308 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1308 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1308 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1308 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1308 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 1308 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2144 wrote to memory of 2476 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2476 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2476 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2144 wrote to memory of 2476 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 2616 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe

"C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zS5061.tmp\Install.cmd" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1XQju7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2144 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.205:80 apps.identrust.com tcp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 95.181.157.69:8552 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

MD5 3973c47bf5f334ea720a9d603d2c6510
SHA1 bf2b72dc12d4d41e08b452e465c40d010b2aba4e
SHA256 4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea
SHA512 cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

C:\Users\Admin\AppData\Local\Temp\7zS5061.tmp\Install.cmd

MD5 21661026606353f423078c883708787d
SHA1 338e288b851e0e5bee26f887e50bfcd8150e8257
SHA256 6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782
SHA512 61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 0c6ef320b361f01d63147dec80c3f34c
SHA1 c04adc3da100118f72e41c1c4645cbf8fa813cee
SHA256 bf89a45619528967430c483c01da54306e4f1b200a8c062697218fdd60bac93f
SHA512 f204ea35dffab3bd703ccf3a52e8ce26be5cde8f24b485b8a0c34a7dc9948bfcae3c7d2d268d5e4fd736dd55245ee995a4bfe0726e2b7fbb379095c69e9ddb69

memory/2616-48-0x00000000002F0000-0x00000000003FA000-memory.dmp

memory/2616-49-0x0000000074070000-0x000000007475E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6DC3.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab6F9B.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar702A.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66eb28557153af7bca9d254d6cec7ee3
SHA1 3afc380adf5fb59f88902255c427a505f47a4d97
SHA256 7192b4a5b85da8815551394e94f37dd2b993cdd86077ba540c61d133e3052352
SHA512 328a96469b040fe531200bbfa3830b64099762dce5a2bc2b9479b41f0c8dca854d6a04bd300b041d4ef370f203b906677a13ef5d3290158855f399549431d6be

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02b4fcf726a18653bdc491936e910cc4
SHA1 041997f8b2f5af7aadd83e782e9a2a17733d082e
SHA256 8bccedca9305e0638c2f907d386704470d511a83ca86680a9c3754821b389f46
SHA512 d31d2c390c0d3d69e5d9fb754394194b66c83341eeea64284cb3792ff4d305054d55199a4797e8c64ee44038dc5265e351d8abe4f5b9b8480128de4d0737432c

memory/2616-193-0x0000000004560000-0x00000000045A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CTT6L9LH\favicon[1].png

MD5 18c023bc439b446f91bf942270882422
SHA1 768d59e3085976dba252232a65a4af562675f782
SHA256 e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512 a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jre0bgm\imagestore.dat

MD5 690b02c961cc65a3d853484c4f4b5707
SHA1 a43a2884e16f8c144a19d6e950a87e4d6da54f42
SHA256 ede1bf96aef4b94a36cec7b0f171aee83f4eabaa6c7200ecf29309e63d02091c
SHA512 0223cf96a171857aa93aaef4cc9d61e24d9916f3ba6da4871197372bf2504276fb3c16d27a63fe44122c3d884a99f5c2e97501dd84c9a77bc0e6798d3f4cbfba

memory/2616-209-0x0000000000450000-0x0000000000468000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69c883a4e6f24154cbb155321b82496a
SHA1 30308b687a4ede7a615074025c53b83cf5e74426
SHA256 c0bea62b98380936a7c299a946fdec776a032a17b5ccef08dc1bd8d0a7d2c59a
SHA512 c6a2c88766772c7e5141df8cd9fd8b295c6f7fd31317408a427d775d3905a6d5ea584918b4a17be16acd19a1dc02d67c6042ef5383cb8475058ef2ba864ca8eb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 627852dbed81b9c9c0707132cb8ed425
SHA1 aa154252e6ebb4ae38079d39962c87b6fd74e350
SHA256 65a42a5d1d9f550d78c51c1603ab9fe53e6ef8418ef2da221f16c5f2585f638e
SHA512 f36057fd7f33ec444bc5b7ba368e2f5bfd65372b8dddd32b4717e2bda3877a73fdb5b9bf988f96c0834885b74a12e94f56cd641a49da7c2a0e636aa4e50b96b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 088ee1717c1af2e60e9542ffa6612f3b
SHA1 362433d647f901ede0228ee5bee46df87ff85a9c
SHA256 8c1e4afd6cce76441defd04b945986d7d9461bb6499d56bd78a806f750d6d453
SHA512 eb12e28c397819a3de02b37e2d54cd07acdacfe711965fea9afd8ce5a980d3edfb6d01b74bcd4068eabcb884cdc8f05e305ae4da0f427472c4fd5a6717ace37b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 326b297a39d57417561d4ed48b2188d8
SHA1 f659ed3427d57c26605a1b5ee28f528e63c7d82f
SHA256 a59c2ede64ae731363845dd65897d0d4af0fdc0cda7cecd41a6ed2770cf09a49
SHA512 bd460ceed23995e66b38ed3d1c9a8c956f64c4209df5f3879ffd3da3fee0e23f6873a0d811ea31e8e198bc6a07efb72e44b67f42d0ef23a9e09e94e63b99d6c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e4b6d2edac3272884da1cf10b8743eb4
SHA1 57796b0ad909f68f2b6f12853326c34b0e5c332e
SHA256 8ba3b4f3616895d3872a40aa207e8ec20462c7bcd3ef313dc3024bef0ce9b2d3
SHA512 83897ffede56339e88efa57f7367d2101318d3dd2e1a4369a11ca447b2b7e4911258267e49dc88b856f14a0823520b23453847eccf13074989bb983ce16d80c2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87d8fbe6e8add987d18f8311c4637c8e
SHA1 06c6d9e363f7de6a4e9fb52d280b78195a8d73c6
SHA256 f70d258b06ae090f81a4a978a4b1ab27d784fafe2c16041da467677bd71cf3f1
SHA512 4ac37c0a4cf2c14805c0fba67be8e9ec47f406869372b690e1e97097726f3e8897f1352ef6bf4cac080a2a33682ff866b1893d70e5296410cce7ee5d863be975

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3eba7d71c13fc6b6cae28688132f6a03
SHA1 f6820375157ca0a1a1fa16bbadb1b4d43b59ac76
SHA256 ec820572c0c10216cb8d57816c026ea2aa340fcd0fd0456ac37ef5b558e4a190
SHA512 dd0268ffca957bb38473354faf1d14ffc8330d18f17a8ff295f203eddac1a28bb671b3b50ec952662cdab67e8bca44b0da7d692fb5c77954c12daada07ed35ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e35e3153e8c46c6b208dce75ca5c79b
SHA1 054dae53c867a6fe36f83c9c456a919fc5225397
SHA256 e8fdf6a8df4b7e79352084167d909084e50a0b8d69510683b72c49631ffb9b52
SHA512 b001a76633bdfdefb9ba5a1d3847f9d2ce403b8faa7b374aac553349eb7a244462d904a0b11e6e88d557230d5656182f46bfc71d4cc877b699cc0dd8782a0649

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb0d8e4f39165dbf801a07ccbd9c94b7
SHA1 e18190784ef2db9299f648830dd8435eab801fca
SHA256 b30cf8439830f913850289c66afb38cc1795364314ccb2f57486985c9a430883
SHA512 1ba61e71a4ba7b3c47bb7aefb4f6c33c261d0d2f9c153940af1fea2c1fd9116c018527de2b7074d5b6c8b442c608b5c163897627788ecde578bea9317b7da78a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a06432e07d0572b90190dc14e88dcfeb
SHA1 9c33382e1703a8f6b2a3776679b65069c11dd31f
SHA256 bee900c968a686a358f6a6c21b3ab2d619126879d354227b613a60634ecb3fe3
SHA512 b2b73e3e60579e8a2911ccf97ca5d94b691c7aa62556f6e9b4b1b8024b53ec6b46ccfe1dfb5e1f6eb013a910f493731a13c343de50be3d332d13d9d15dc66ecd

memory/2616-640-0x0000000074070000-0x000000007475E000-memory.dmp

memory/2616-641-0x0000000004560000-0x00000000045A0000-memory.dmp

memory/2616-642-0x0000000005310000-0x000000000539A000-memory.dmp

memory/2616-643-0x0000000000AA0000-0x0000000000ABE000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 2a05f468cebd2a38763786521c8439f7
SHA1 de40648b125b856876a6c6ad50553bbc71002368
SHA256 78b25cae9039153c64c245c258f6fc3178521961fa07558edd2a454c88785ec4
SHA512 dd624e10b283924e6bcdbf38a0c735df60236d85d126ddead2a4479a99a80e347d2936d436f1093e30750afab4ab4b0befc2b12e0f369daf742aef03a1c4fcfd

memory/2232-645-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2232-647-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2232-649-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2232-650-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2232-651-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2232-653-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2232-656-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2232-658-0x0000000000400000-0x000000000041E000-memory.dmp

memory/2232-659-0x0000000074070000-0x000000007475E000-memory.dmp

memory/2616-660-0x0000000074070000-0x000000007475E000-memory.dmp

memory/2232-661-0x0000000004B40000-0x0000000004B80000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9f069769a4f48e9439f7adebbfb7f67
SHA1 c1e7f9fb7207281b145981e07f4f7f215d81d170
SHA256 222fbebcd74ab3bca67cca0f83c36482bf267d78c4527b3bc26b2116fe11f547
SHA512 7d4babc11849470985caf5be459f7be3ec217cb246be34dd53a2836ce43a624252068fc91f4a0c65d44af6ac762c33850d9150679bd1bcce39a2fba3c9a4f607

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e6f5639a46870f351a49d2f47e529fd
SHA1 1164102132e503825d663d67fe37565272b076c1
SHA256 b1df9e2b1623f7df129cac4c8d244f7dac5c867f97f1b7f479a1bbafadc93a54
SHA512 9080cd988ef95565d8207bf84a459014d5114ac9642e09b92b7d572bba7c19d4cfe723b5f024ea0ac3ddb6b81efee808f4b3e00a4290a8fc218ec86903c34fca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31383e97318c2ee9d84e747a08405607
SHA1 975f7307aa41595a1a29c10a74e7ec1b49f48d82
SHA256 a002cbc4d31fb16305800488075c354d214ad5f5c44cfd03c7e5b11ee89f1a36
SHA512 cabf8dd9c64fd73965cbc4e7419ce3cfe438c4590fa714fe07d06c9937bd300958a41b58dcac4a089f0f1c92cb2b552cbaece740cfb3c28bf20c061597e437bf

memory/2232-840-0x0000000074070000-0x000000007475E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df276d11835e2e4da22ba52a992b6625
SHA1 72822a3399584406c4f27dd548f6c1db8eedb59a
SHA256 f040a93439059ff9d298a1d53fb0b504d3a99bfb69a18e95358dd86bde424805
SHA512 33b6794faa1be502e05f3ab34d5fbf54e689371b5687758cbd3aa9ef8557e612d4ac0d92f375bcadcf6c0f32d95ca3fe9aad2ff964a36ba8147b39e33ca97f78

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 99b931c9a7773b5b9e535aef66445f69
SHA1 69bec72a79a0bb49c2f538c6d38b582cbdfdda1c
SHA256 5ee795639401f229e27a5e77d44145d00df36e7f457a7be06140babe19e1e368
SHA512 60e0cd6d1566752b10a7beacb98ff113b7e42e4ba8b0d9296a519eaeb8fa92714aa32eb7ceab4200b4b16b410b9bfbd46728c3f8ff65a4da92839f346db3e45c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85de83ed189dfe6454a462994d541f86
SHA1 3d83861ff19796c845a3aa958e619e4badc4e801
SHA256 d612f7520e449d721b777e3d158eb0222ed0f69f9c08a9a50a3473978f916be6
SHA512 0fe8066086fd68e0c59d580a69fef70382c55d7192b9c584da62869b63dd0e09a9e00cb35ce66fc2834e7f9caafd430c15ad447bf972216f8ea2537baac396f1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a15d481ca93197f92550fad3487a5367
SHA1 f986e7ecbf0f85ffb6add527fad8d6df9c0157a8
SHA256 aa2b92b87b94eb65a7660d1fea51822d31496ad7b7dd71a293cdb04e2dfbb995
SHA512 32fdaca08f9089efb0e720a99626f1454ab99cc8efcfcc3bb3d83499bff032105f6b17d98b0ae025f9ad9c3aa5479be7354340ee930513e39e64ec2a601a82d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee770c60a39400d0316dd66d63c6e518
SHA1 02e7d4db456b383c7138527c12aaf4cc11ab0c87
SHA256 f8492172aa5bf0e8d748d56f3d4b9c552237d5199517d3a3c0dbc98ef45c641e
SHA512 3908fc74dbecfb471a63a3349307d0d9ec2e6506327fb3de93394a2ca14bda0ce8c9f9936e4b901cc7cb8b2432c728c258b9bd1bac32a64a90510527be39ec48

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 386278feccb972f1ac743dac56e67eb9
SHA1 67dcfe47e7a38a58ed9ceec55699675dd5b7c65c
SHA256 f9c8f3364c19a789f46245418eaacaa14a565cbc5d101b5999f3221ee4fa5294
SHA512 bab4256773ce75f6b758982c40feadb55f846fdb6fa0ef66aae12cfaf5e4822e9c38f95a8fe1e4941ca43637955234228968f7187abcbdbca33f997844093f5b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 33a4657e4e1fec8527a30e4bad17df13
SHA1 331c04b9f24f543f6d3ce6164e9a75caa43d90da
SHA256 834daba70fae8327099f24a298e9a505a64b685aaa1283c11f89c0e828885544
SHA512 c544d1a5c97d8c5c5a1315a53b0a52794a60c06d698922de2bf74143b72b3408a58cbcd9eb447678dbe0c79db9c008c721fcab35f21d68dff06b49fc1db25d85

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 29b021a94e9959277ce975341c703a51
SHA1 d474634e835bb828d6386669e1b945f51a28661d
SHA256 44fddd9800f88664c1998db81e4d17bd96b54dc6f36d4448ec4bbfd384a62998
SHA512 0c6b151979e575597d087ef93afdb3d023db4f30d95bc7ead785558777580b26c98e3c3579e00fbf6aa382b1d70f5f603b608babf98c245ca4323629a0e48f13

memory/2232-1095-0x0000000004B40000-0x0000000004B80000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-13 19:13

Reported

2024-03-13 19:16

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe"

Signatures

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3508 set thread context of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4584 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 4584 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 4584 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
PID 1900 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 1900 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe C:\Windows\SysWOW64\cmd.exe
PID 3200 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3200 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4584 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 4584 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 4584 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 3508 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 3508 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 3508 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 3508 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 3508 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 3508 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 3508 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE
PID 3508 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe

"C:\Users\Admin\AppData\Local\Temp\c6a8f3d39b2490346ec60813a441e1d6.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS4A33.tmp\Install.cmd" "

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/1XQju7

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=1676 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5688 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5288 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5388 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5456 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2488 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5348 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 193.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 104.21.4.208:443 iplogger.org udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
GB 104.78.177.227:443 www.microsoft.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
GB 104.77.160.9:443 bzib.nelreports.net tcp
US 8.8.8.8:53 158.6.107.13.in-addr.arpa udp
US 8.8.8.8:53 227.177.78.104.in-addr.arpa udp
GB 104.77.160.9:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 9.160.77.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.189.173.22:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 22.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
GB 92.123.128.184:443 www.bing.com tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 184.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 104.21.4.208:443 iplogger.org udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 95.181.157.69:8552 tcp
RU 95.181.157.69:8552 tcp
GB 92.123.128.184:443 www.bing.com tcp
RU 95.181.157.69:8552 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
RU 95.181.157.69:8552 tcp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 172.217.168.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
RU 95.181.157.69:8552 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

MD5 3973c47bf5f334ea720a9d603d2c6510
SHA1 bf2b72dc12d4d41e08b452e465c40d010b2aba4e
SHA256 4e9a1202844e30f1d62d837cdb440764c851740ab8ee2bd4a8a31475bd449eea
SHA512 cafc322ba71bafad2b15b82553a2a0749d0b6cb8349fe7fd24de25f7dca48c5aa0c9e7d170571c87a55381ec21d33045d7ba9a17891aabee187358da9b406861

C:\Users\Admin\AppData\Local\Temp\7zS4A33.tmp\Install.cmd

MD5 21661026606353f423078c883708787d
SHA1 338e288b851e0e5bee26f887e50bfcd8150e8257
SHA256 6a77796213adbc0eb764c070a3fdfcb5bfa3ad9b6215c1be43f09bfd32014782
SHA512 61760ab64e2c38d9bd5102ab0106e451a5c91e1598906f92e1285b7ae1ca1c6e02480d4157d0f350d2dc816088b5b0838a5d7c7b9d80444ecbf9d62b9ca5b65b

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 0c6ef320b361f01d63147dec80c3f34c
SHA1 c04adc3da100118f72e41c1c4645cbf8fa813cee
SHA256 bf89a45619528967430c483c01da54306e4f1b200a8c062697218fdd60bac93f
SHA512 f204ea35dffab3bd703ccf3a52e8ce26be5cde8f24b485b8a0c34a7dc9948bfcae3c7d2d268d5e4fd736dd55245ee995a4bfe0726e2b7fbb379095c69e9ddb69

memory/3508-15-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/3508-16-0x0000000000DB0000-0x0000000000EBA000-memory.dmp

memory/3508-17-0x00000000058E0000-0x000000000597C000-memory.dmp

memory/3508-18-0x0000000005F30000-0x00000000064D4000-memory.dmp

memory/3508-19-0x0000000005980000-0x0000000005A12000-memory.dmp

memory/3508-20-0x0000000005B80000-0x0000000005B90000-memory.dmp

memory/3508-21-0x00000000058A0000-0x00000000058AA000-memory.dmp

memory/3508-22-0x0000000005BF0000-0x0000000005C46000-memory.dmp

memory/3508-23-0x0000000008660000-0x0000000008678000-memory.dmp

memory/3508-24-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/3508-25-0x0000000005B80000-0x0000000005B90000-memory.dmp

memory/3508-26-0x0000000006F20000-0x0000000006FAA000-memory.dmp

memory/3508-27-0x0000000006FB0000-0x0000000006FCE000-memory.dmp

memory/552-28-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\RUNTIM~1.EXE

MD5 34a69535b32edee7f6e4aabbb6d60235
SHA1 a3c3a7a826ae30c29e910e5afdba978075448975
SHA256 bd392618b6712c1b0f646fe3eeb7187e277046b238d3f0763303f6ca5b7fb9a9
SHA512 527cb78e03741bb38e8347bb73fc791c68431c8f6e89ea63557b6ccfd415d0eef346be965f431c85e4e06c293a08173d2d76e8b3864966f29c4e433f75d7b3ba

memory/552-31-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/3508-32-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/552-33-0x0000000005A70000-0x0000000006088000-memory.dmp

memory/552-34-0x0000000005510000-0x0000000005522000-memory.dmp

memory/552-35-0x0000000005570000-0x00000000055AC000-memory.dmp

memory/552-36-0x0000000005640000-0x0000000005650000-memory.dmp

memory/552-37-0x00000000055B0000-0x00000000055FC000-memory.dmp

memory/552-38-0x0000000005820000-0x000000000592A000-memory.dmp

memory/552-39-0x00000000751E0000-0x0000000075990000-memory.dmp

memory/552-40-0x0000000005640000-0x0000000005650000-memory.dmp