redline | 2c3d6134bf6160409e38f9a19f7fa3a64f1b53218b358b1a562b3cea4935ecae

Analysis

max time kernel
1799s
max time network
1797s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-04-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

313KB
MD5

cf088f8d0b4f4154f3223f9b92217cf4
SHA1

703401a56132ee36a1b32113e552e4377fffaa71
SHA256

ee6a2fa32b5f52139503e50cd129d7d12f0921de2d3fd61edc4907de3dc42db8
SHA512

520e94c35d86b1de62e23b735212c27562e6eb12a04881ca2273147b9c4954a05612d2271cc562c365468ae8f71e75b9a387976d3fdb665c9819321d128abb78
SSDEEP

6144:cg5BUIlrf4ELEdw3xGkSwCtqpxoXry+6F64Eb+HgNRaMNhMErVpHKb:95BVrDEd47xCtqzUryh643gzNhMgF

Score

10^/10

redline xmrig zgrat @operrus discovery infostealer miner persistence rat spyware stealer

Malware Config

Extracted

Family

redline

Botnet

@operRUS

45.15.156.167:80

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000700000001ac74-90.dat	family_zgrat_v1
behavioral2/memory/4656-93-0x0000000000F40000-0x0000000001650000-memory.dmp	family_zgrat_v1

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5056-4-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline

XMRig Miner payload 2 IoCs

miner

Processes:

resource	yara_rule
behavioral2/files/0x000700000001ac9f-749.dat	family_xmrig
behavioral2/files/0x000700000001ac9f-749.dat	xmrig

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig
Downloads MZ/PE file

Executes dropped EXE 8 IoCs

Processes:

conhost.exe7z.exe7z.exe7z.exeInstaller.exesvchost.exedllhost.exewinlogson.exe

pid	Process
2508	conhost.exe
2552	7z.exe
1840	7z.exe
3152	7z.exe
2732	Installer.exe
4656	svchost.exe
216	dllhost.exe
3088	winlogson.exe

Loads dropped DLL 4 IoCs

Processes:

7z.exe7z.exe7z.exesvchost.exe

pid	Process
2552	7z.exe
1840	7z.exe
3152	7z.exe
4656	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

powershell.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Windows\CurrentVersion\Run\kwweifjdskdv = "C:\\Users\\Admin\\AppData\\Local\\kwweifjdskdv\\kwweifjdskdv.exe"	powershell.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
19	pastebin.com
21	pastebin.com

Suspicious use of SetThreadContext 3 IoCs

Processes:

Setup.exeInstaller.exesvchost.exe

description	pid	Process	procid_target
PID 4800 set thread context of 5056	4800	Setup.exe	73
PID 2732 set thread context of 388	2732	Installer.exe	86
PID 4656 set thread context of 4800	4656	svchost.exe	92

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

Processes:

schtasks.exeschtasks.exe

pid	Process
4512	schtasks.exe
2224	schtasks.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

RegAsm.exeRegSvcs.exepowershell.exepowershell.exedllhost.exe

pid	Process
5056	RegAsm.exe
5056	RegAsm.exe
5056	RegAsm.exe
388	RegSvcs.exe
2032	powershell.exe
2032	powershell.exe
2032	powershell.exe
388	RegSvcs.exe
388	RegSvcs.exe
388	RegSvcs.exe
388	RegSvcs.exe
3180	powershell.exe
3180	powershell.exe
3180	powershell.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe
216	dllhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

RegAsm.exe7z.exe7z.exe7z.exeRegSvcs.exepowershell.exeRegSvcs.exepowershell.exedllhost.exewinlogson.exe

description	pid	Process
Token: SeDebugPrivilege	5056	RegAsm.exe
Token: SeRestorePrivilege	2552	7z.exe
Token: 35	2552	7z.exe
Token: SeSecurityPrivilege	2552	7z.exe
Token: SeSecurityPrivilege	2552	7z.exe
Token: SeRestorePrivilege	1840	7z.exe
Token: 35	1840	7z.exe
Token: SeSecurityPrivilege	1840	7z.exe
Token: SeSecurityPrivilege	1840	7z.exe
Token: SeRestorePrivilege	3152	7z.exe
Token: 35	3152	7z.exe
Token: SeSecurityPrivilege	3152	7z.exe
Token: SeSecurityPrivilege	3152	7z.exe
Token: SeDebugPrivilege	388	RegSvcs.exe
Token: SeDebugPrivilege	2032	powershell.exe
Token: SeDebugPrivilege	4800	RegSvcs.exe
Token: SeDebugPrivilege	3180	powershell.exe
Token: SeDebugPrivilege	216	dllhost.exe
Token: SeLockMemoryPrivilege	3088	winlogson.exe
Token: SeLockMemoryPrivilege	3088	winlogson.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

winlogson.exe

pid	Process
3088	winlogson.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exeRegAsm.execonhost.execmd.exeInstaller.exeRegSvcs.execmd.exesvchost.execmd.execmd.exe

description	pid	Process	procid_target
PID 4800 wrote to memory of 5056	4800	Setup.exe	73
PID 4800 wrote to memory of 5056	4800	Setup.exe	73
PID 4800 wrote to memory of 5056	4800	Setup.exe	73
PID 4800 wrote to memory of 5056	4800	Setup.exe	73
PID 4800 wrote to memory of 5056	4800	Setup.exe	73
PID 4800 wrote to memory of 5056	4800	Setup.exe	73
PID 4800 wrote to memory of 5056	4800	Setup.exe	73
PID 4800 wrote to memory of 5056	4800	Setup.exe	73
PID 5056 wrote to memory of 2508	5056	RegAsm.exe	76
PID 5056 wrote to memory of 2508	5056	RegAsm.exe	76
PID 5056 wrote to memory of 2508	5056	RegAsm.exe	76
PID 2508 wrote to memory of 5096	2508	conhost.exe	77
PID 2508 wrote to memory of 5096	2508	conhost.exe	77
PID 5096 wrote to memory of 2204	5096	cmd.exe	79
PID 5096 wrote to memory of 2204	5096	cmd.exe	79
PID 5096 wrote to memory of 2552	5096	cmd.exe	80
PID 5096 wrote to memory of 2552	5096	cmd.exe	80
PID 5096 wrote to memory of 1840	5096	cmd.exe	81
PID 5096 wrote to memory of 1840	5096	cmd.exe	81
PID 5096 wrote to memory of 3152	5096	cmd.exe	82
PID 5096 wrote to memory of 3152	5096	cmd.exe	82
PID 5096 wrote to memory of 4256	5096	cmd.exe	83
PID 5096 wrote to memory of 4256	5096	cmd.exe	83
PID 5096 wrote to memory of 2732	5096	cmd.exe	84
PID 5096 wrote to memory of 2732	5096	cmd.exe	84
PID 5096 wrote to memory of 2732	5096	cmd.exe	84
PID 5056 wrote to memory of 4656	5056	RegAsm.exe	85
PID 5056 wrote to memory of 4656	5056	RegAsm.exe	85
PID 5056 wrote to memory of 4656	5056	RegAsm.exe	85
PID 2732 wrote to memory of 388	2732	Installer.exe	86
PID 2732 wrote to memory of 388	2732	Installer.exe	86
PID 2732 wrote to memory of 388	2732	Installer.exe	86
PID 2732 wrote to memory of 388	2732	Installer.exe	86
PID 2732 wrote to memory of 388	2732	Installer.exe	86
PID 388 wrote to memory of 5036	388	RegSvcs.exe	87
PID 388 wrote to memory of 5036	388	RegSvcs.exe	87
PID 388 wrote to memory of 5036	388	RegSvcs.exe	87
PID 5036 wrote to memory of 2032	5036	cmd.exe	89
PID 5036 wrote to memory of 2032	5036	cmd.exe	89
PID 5036 wrote to memory of 2032	5036	cmd.exe	89
PID 4656 wrote to memory of 1348	4656	svchost.exe	90
PID 4656 wrote to memory of 1348	4656	svchost.exe	90
PID 4656 wrote to memory of 1348	4656	svchost.exe	90
PID 4656 wrote to memory of 2396	4656	svchost.exe	91
PID 4656 wrote to memory of 2396	4656	svchost.exe	91
PID 4656 wrote to memory of 2396	4656	svchost.exe	91
PID 4656 wrote to memory of 4800	4656	svchost.exe	92
PID 4656 wrote to memory of 4800	4656	svchost.exe	92
PID 4656 wrote to memory of 4800	4656	svchost.exe	92
PID 4656 wrote to memory of 4800	4656	svchost.exe	92
PID 4656 wrote to memory of 4800	4656	svchost.exe	92
PID 4656 wrote to memory of 4800	4656	svchost.exe	92
PID 4656 wrote to memory of 4800	4656	svchost.exe	92
PID 4656 wrote to memory of 4800	4656	svchost.exe	92
PID 388 wrote to memory of 1124	388	RegSvcs.exe	93
PID 388 wrote to memory of 1124	388	RegSvcs.exe	93
PID 388 wrote to memory of 1124	388	RegSvcs.exe	93
PID 388 wrote to memory of 1572	388	RegSvcs.exe	94
PID 388 wrote to memory of 1572	388	RegSvcs.exe	94
PID 388 wrote to memory of 1572	388	RegSvcs.exe	94
PID 1124 wrote to memory of 4512	1124	cmd.exe	97
PID 1124 wrote to memory of 4512	1124	cmd.exe	97
PID 1124 wrote to memory of 4512	1124	cmd.exe	97
PID 1572 wrote to memory of 2224	1572	cmd.exe	98

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
4256	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5056
- - C:\Users\Admin\AppData\Local\Temp\conhost.exe
    "C:\Users\Admin\AppData\Local\Temp\conhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\main\main.bat" /S"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\system32\mode.com
        
        mode 65,10
        5⤵
        
        PID:2204
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e file.zip -p146312891125116171371883110193 -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_2.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\main\7z.exe
        
        7z.exe e extracted/file_1.zip -oextracted
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
    - - C:\Windows\system32\attrib.exe
        
        attrib +H "Installer.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4256
    - - C:\Users\Admin\AppData\Local\Temp\main\Installer.exe
        
        "Installer.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C powershell -EncodedCommand "PAAjAFYAeAA5AE4AeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFQAeQBtAE4AaAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFoAUwB2AGIAVwA4ADEAMQAxADEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBkAGoANgAxAFkASABPAGoAIwA+AA==" & powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0 & powercfg /hibernate off
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -EncodedCommand "PAAjAFYAeAA5AE4AeAAjAD4AIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAFQAeQBtAE4AaAB0ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAFoAUwB2AGIAVwA4ADEAMQAxADEAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBkAGoANgAxAFkASABPAGoAIwA+AA=="
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC MINUTE /MO 5 /TN "dllhost" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1009" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\SysWOW64\schtasks.exe
        
        SCHTASKS /CREATE /SC HOURLY /TN "NvStray\NvStrayService_bk1009" /TR "C:\ProgramData\Dllhost\dllhost.exe"
        8⤵
        Creates scheduled task(s)
        
        PID:2224
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      4⤵
      PID:1348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      4⤵
      PID:2396
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4800
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove -ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'kwweifjdskdv' -Value '"C:\Users\Admin\AppData\Local\kwweifjdskdv\kwweifjdskdv.exe"' -PropertyType 'String'
      4⤵
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3180

C:\ProgramData\Dllhost\dllhost.exe
C:\ProgramData\Dllhost\dllhost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:216
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c chcp 1251 & C:\ProgramData\Dllhost\winlogson.exe -c config.json
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    PID:164
- - C:\ProgramData\Dllhost\winlogson.exe
    C:\ProgramData\Dllhost\winlogson.exe -c config.json
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Dllhost\dllhost.exe

Filesize
62KB

MD5
4aa5e32bfe02ac555756dc9a3c9ce583

SHA1
50b52a46ad59cc8fdac2ced8a0dd3fceeb559d5f

SHA256
8a9235655b1a499d7dd9639c7494c3664e026b72b023d64ea8166808784a8967

SHA512
a02cf44a9fd47cff1017bbccf1a20bb5df71afb9110cd10c96a40aa83e8aeaff898bef465d60572282b30087144794192882b998e278e3a03d8a7e5e24313756

Download Submit
C:\ProgramData\Dllhost\winlogson.exe

Filesize
5.2MB

MD5
118c2d536d52dd30116baaf06dfe5e63

SHA1
fe510bca4c36cf0791132d15c58c33dee7bf0bc8

SHA256
f07c7223fdb691acbf0ebc7d9cc2ae614c0cf705920420c0130248a0c0e861d4

SHA512
431b4fdbd8268f8b5ef6357bafbf3dc261ec7a3662de7722a5fc2cdb2087db64a75aa356f2b9a023b2c8a96d422d651e3a3bfb2e324370287671bf9291dec8cf

Download Submit
C:\ProgramData\HostData\config.json

Filesize
321B

MD5
183ec6f10aa2aa4e224d725068d69a53

SHA1
4a8a26fd6c008f8f5170778a00c7016b55e91e88

SHA256
2517078e01ed6d8eabe0634cd5e75d3ff5fb208355dadec49a494f84874bfdcb

SHA512
963f7a4b64eca129a7ec10b039baedc96385cee514e0235cfeef3783459cb6ca8d216c7590348f389819269c223927201d882d83affaaaea47ea76c1f50133f7

Download Submit
C:\ProgramData\HostData\logs.uce

Filesize
346B

MD5
bb7313264bdfab2a43765b6f6abe67ee

SHA1
8e8e685e9ece9f4cdf66199dea090c422c0406f8

SHA256
cea0ef6d0e8318ee6adca97aebe02a14c42b501740c2a74808b17eb7a746ce53

SHA512
8746b94d230ea479fe463b7e2e1fdbbe39f15430c6920235c06c82c159dfc5a4880ab90a54b28d20dc70078cc0cf0aa784da7a7686cbef98f59ac2487b74f5ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
10c1010386acb29ec0716aafcf767a7a

SHA1
19fddf6c412e75d87a209420393e4c1503becec2

SHA256
681ca7c9b79c1a3d5b1e2df1e2692e09db5e31b83c46f4523dd0b9ce26f77798

SHA512
cabbcd91af31580e7b76047ad11b2a9204a13179d1972a16607713c08854411137c5fedce1e9ed4723340183403e20eaf3b588f22d3aff5284879d7fe966de2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp64A5.tmp

Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_an04fh1f.5nl.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\conhost.exe

Filesize
2.9MB

MD5
8340b7602e82921aa8d72ae4f8ea11cc

SHA1
a49524d26639130bc09acb4a0187917fbc5ec003

SHA256
efee38133480e7ccaa11424d49bb3d8ebdb89ffb1d81a10f6c405337e7d3a737

SHA512
eab92e881f24d6fdcb061540c3ee96f4d4fa9e26a7ef1ea82743ebca3e64821f94467cc65a2c3e83ee4c9091cc4e714e938b9f583c3dc9f88938555322e04f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.dll

Filesize
1.6MB

MD5
72491c7b87a7c2dd350b727444f13bb4

SHA1
1e9338d56db7ded386878eab7bb44b8934ab1bc7

SHA256
34ad9bb80fe8bf28171e671228eb5b64a55caa388c31cb8c0df77c0136735891

SHA512
583d0859d29145dfc48287c5a1b459e5db4e939624bd549ff02c61eae8a0f31fc96a509f3e146200cdd4c93b154123e5adfbfe01f7d172db33968155189b5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\7z.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\ANTIAV~1.DAT

Filesize
2.2MB

MD5
b5e813efd092c823e641722e0e721cf2

SHA1
e381b6fc4a362091a4b09e6e366d15efdb6820d3

SHA256
fe75fd8c297d1d223ba238caa95e2d3bd9436538d125c8b87f62a297aeb11b42

SHA512
be677d3811cd2a3f6b187ac53e7086307776abc9fef39165c4b0a54aceaa332a88da84e4ce4234a653c12a2a57dabd77ddf74b40ae9e709436b8ac6ef7d96283

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\Installer.exe

Filesize
610KB

MD5
6141fcd89a442521fabada983b07696a

SHA1
c884d75aa3df2ab52ad128146e45825466db257e

SHA256
5a4414a62987d89c24f62ba447cb25b3310a4e543dcb505a807e62a77d8d1426

SHA512
5f482678d7c71127d67f9b52d3e4c4e99111a4a2bbcbf36e299f57c6fffb354a490d573ee565b99483ac9b3ff015fc9337dffdb5d739a94d1994662a5dde0107

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_1.zip

Filesize
499KB

MD5
ca8acb796044d922702f2fedd039c718

SHA1
45b997cc60b4875eec3f462006f1605dcb16c984

SHA256
710634857b5c70a6b6f014da45b0e1705a180aca3f2c1d53c39aa179d2451671

SHA512
591c1da7c720500440aa47bc52423457d0963eca381451a6163a144c0168ed863b45872020a2a6fa645b97db397e93060265f7c150616a039c2aed25cd0607da

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\extracted\file_2.zip

Filesize
2.1MB

MD5
7f93db1b1ba5dd798ee0fb7ac1ee5b5a

SHA1
b68db4bdb7ad77c720a1861ec9158b49b99c3473

SHA256
50806e50951c2ab080a1ad10873349940355d49cbecf564bdc4d3ca65516dff2

SHA512
41e7df8738ef3f549d20c3943d0a4b2aa34e91675604d0bec62fa6633d7fb262a38adcde70b8c08639cbf9d62cf043b4220b8fc20483f061687815da22faef5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\file.bin

Filesize
2.1MB

MD5
fc7c63ffa72326c3641efbdf507ab046

SHA1
a65964ee890eabc1e09d16ad4a36fa0530290435

SHA256
3bac3a7196c4e1f347bbfc4bb7319c14a60155edadb246cc41f3a251b76f3bf6

SHA512
39168751411ceff6b44013bb3eb2ca4a59c6b11f119d3fac72fcf85d401113170dd056d8dcdce29f0f60b38feedc0cb4bc72461ed32c17d6a616c446eacd62e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\main\main.bat

Filesize
476B

MD5
4edd28bf306d37273a4b30ef3f75d92f

SHA1
db8fbd39931f0faaa160c700435279210bf97cc3

SHA256
e49d849e2a89613a493a07ee4f15f56cde89073e1dc527a4881846dd03eaa130

SHA512
b05fb8ff44ce032d09f096de855d99d64f64c03dead392863aa186edd05809fc99825862432dc7b826447b5880fe7b1eeb6135502df35d0227c16691665530df

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
7.1MB

MD5
45d20d471e6f3f8f088d489d62058f23

SHA1
d261d037781fb5e7124a40df3d2e32e4d694c2c4

SHA256
36fb77c427020d85e61482f25c7e8127221e1d48c358be97728068e6a487b711

SHA512
3e04852233147146e76684ebcc335e6281413796cf148d34234b86753a3f2b2afb2e58853d44873dc43f9578639ef55f35aab98aaee7dda718f6cfaeb4e4a02e

Download Submit
\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/388-110-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/388-116-0x00000000727C0000-0x0000000072EAE000-memory.dmp

Filesize
6.9MB

Download
memory/388-117-0x00000000031A0000-0x00000000031B0000-memory.dmp

Filesize
64KB

Download
memory/2032-126-0x0000000007F30000-0x0000000008280000-memory.dmp

Filesize
3.3MB

Download
memory/2032-183-0x000000007F6B0000-0x000000007F6C0000-memory.dmp

Filesize
64KB

Download
memory/2032-122-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/2032-399-0x0000000009A00000-0x0000000009A1A000-memory.dmp

Filesize
104KB

Download
memory/2032-198-0x0000000009A60000-0x0000000009AF4000-memory.dmp

Filesize
592KB

Download
memory/2032-197-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/2032-196-0x0000000009780000-0x0000000009825000-memory.dmp

Filesize
660KB

Download
memory/2032-189-0x0000000009760000-0x000000000977E000-memory.dmp

Filesize
120KB

Download
memory/2032-187-0x00000000731F0000-0x000000007323B000-memory.dmp

Filesize
300KB

Download
memory/2032-120-0x0000000003380000-0x00000000033B6000-memory.dmp

Filesize
216KB

Download
memory/2032-185-0x0000000009720000-0x0000000009753000-memory.dmp

Filesize
204KB

Download
memory/2032-128-0x0000000008610000-0x000000000865B000-memory.dmp

Filesize
300KB

Download
memory/2032-127-0x00000000078D0000-0x00000000078EC000-memory.dmp

Filesize
112KB

Download
memory/2032-125-0x0000000007670000-0x00000000076D6000-memory.dmp

Filesize
408KB

Download
memory/2032-124-0x00000000075D0000-0x00000000075F2000-memory.dmp

Filesize
136KB

Download
memory/2032-123-0x0000000007900000-0x0000000007F28000-memory.dmp

Filesize
6.2MB

Download
memory/2032-121-0x00000000727C0000-0x0000000072EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2732-111-0x0000000000640000-0x0000000000740000-memory.dmp

Filesize
1024KB

Download
memory/3088-751-0x0000028DF3EC0000-0x0000028DF3EE0000-memory.dmp

Filesize
128KB

Download
memory/4656-159-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-160-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-162-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-155-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-99-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-98-0x00000000727C0000-0x0000000072EAE000-memory.dmp

Filesize
6.9MB

Download
memory/4656-149-0x0000000003CB0000-0x0000000003CC0000-memory.dmp

Filesize
64KB

Download
memory/4656-95-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-94-0x0000000006600000-0x000000000669C000-memory.dmp

Filesize
624KB

Download
memory/4656-166-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-92-0x00000000727C0000-0x0000000072EAE000-memory.dmp

Filesize
6.9MB

Download
memory/4656-93-0x0000000000F40000-0x0000000001650000-memory.dmp

Filesize
7.1MB

Download
memory/4656-157-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-137-0x00000000080A0000-0x000000000833C000-memory.dmp

Filesize
2.6MB

Download
memory/4656-140-0x0000000008720000-0x0000000008AFA000-memory.dmp

Filesize
3.9MB

Download
memory/4656-141-0x0000000008C00000-0x0000000008D92000-memory.dmp

Filesize
1.6MB

Download
memory/4656-152-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-150-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-151-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4656-153-0x0000000006500000-0x0000000006600000-memory.dmp

Filesize
1024KB

Download
memory/4800-177-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-48-0x0000000002D20000-0x0000000004D20000-memory.dmp

Filesize
32.0MB

Download
memory/4800-1-0x00000000727C0000-0x0000000072EAE000-memory.dmp

Filesize
6.9MB

Download
memory/4800-7-0x00000000727C0000-0x0000000072EAE000-memory.dmp

Filesize
6.9MB

Download
memory/4800-161-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-158-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-163-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-0-0x0000000000970000-0x00000000009C4000-memory.dmp

Filesize
336KB

Download
memory/4800-10-0x0000000002D20000-0x0000000004D20000-memory.dmp

Filesize
32.0MB

Download
memory/4800-165-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-167-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-188-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-172-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-171-0x00000000727C0000-0x0000000072EAE000-memory.dmp

Filesize
6.9MB

Download
memory/4800-169-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-174-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-164-0x00000000054E0000-0x00000000054F0000-memory.dmp

Filesize
64KB

Download
memory/4800-192-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-186-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-154-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-179-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4800-182-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/5056-39-0x0000000009460000-0x00000000094C6000-memory.dmp

Filesize
408KB

Download
memory/5056-34-0x0000000006F90000-0x0000000006FA2000-memory.dmp

Filesize
72KB

Download
memory/5056-40-0x0000000009860000-0x00000000098B0000-memory.dmp

Filesize
320KB

Download
memory/5056-41-0x000000000A8B0000-0x000000000AA72000-memory.dmp

Filesize
1.8MB

Download
memory/5056-35-0x0000000006FF0000-0x000000000702E000-memory.dmp

Filesize
248KB

Download
memory/5056-32-0x0000000007070000-0x0000000007676000-memory.dmp

Filesize
6.0MB

Download
memory/5056-30-0x0000000006700000-0x000000000671E000-memory.dmp

Filesize
120KB

Download
memory/5056-36-0x00000000088D0000-0x000000000891B000-memory.dmp

Filesize
300KB

Download
memory/5056-12-0x00000000727C0000-0x0000000072EAE000-memory.dmp

Filesize
6.9MB

Download
memory/5056-86-0x00000000727C0000-0x0000000072EAE000-memory.dmp

Filesize
6.9MB

Download
memory/5056-97-0x00000000727C0000-0x0000000072EAE000-memory.dmp

Filesize
6.9MB

Download
memory/5056-29-0x0000000006120000-0x0000000006196000-memory.dmp

Filesize
472KB

Download
memory/5056-9-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/5056-11-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/5056-8-0x0000000005920000-0x0000000005E1E000-memory.dmp

Filesize
5.0MB

Download
memory/5056-4-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5056-42-0x000000000AFB0000-0x000000000B4DC000-memory.dmp

Filesize
5.2MB

Download
memory/5056-33-0x00000000087C0000-0x00000000088CA000-memory.dmp

Filesize
1.0MB

Download