Overview
overview
10Static
static
31b7cbee30e...8d.exe
windows10-2004-x64
101cb2277eea...2a.exe
windows10-2004-x64
1026dae86d00...a2.exe
windows10-2004-x64
1035cd974b16...ec.exe
windows10-2004-x64
1045e7028a78...91.exe
windows10-2004-x64
104cd2f124df...48.exe
windows10-2004-x64
105fdef2b38d...0a.exe
windows10-2004-x64
107284e9e031...c7.exe
windows10-2004-x64
10781c022afd...54.exe
windows10-2004-x64
1084163f9b0d...a5.exe
windows10-2004-x64
1090251e43cd...e4.exe
windows10-2004-x64
109a3023ff33...37.exe
windows10-2004-x64
10b4b999d8f3...50.exe
windows7-x64
10b4b999d8f3...50.exe
windows10-2004-x64
10bdd93956fe...8b.exe
windows10-2004-x64
10cf840721c0...70.exe
windows10-2004-x64
10e52fb58b8a...f1.exe
windows10-2004-x64
10ecfbac56ff...9e.exe
windows10-2004-x64
10f0f492b9b0...9a.exe
windows10-2004-x64
10f921df4c23...0d.exe
windows10-2004-x64
10Analysis
-
max time kernel
138s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:55
Static task
static1
Behavioral task
behavioral1
Sample
1b7cbee30e4459916b5b164befe5e20b7a876df411fdb5d2d2cd7c073a28b18d.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
1cb2277eead0aab1238acbbff542f7d6307542e95025dda95856efeb7bc12a2a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
26dae86d0011ac84e93abfd2169b28a6dee3498b8be9c3b84f657506d4e2a9a2.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral4
Sample
35cd974b16f79c47cbb0de20c8a1ff5494093da28e9909d73df1cc40bc1e6dec.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
45e7028a78d903a8ece02b9d51f82b76972b2b5e64db0bc12aa6cb69f53a2291.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral6
Sample
4cd2f124dfaf247a46d235c0823069c1056a2efb67c0f74547fb75dcfb603748.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
5fdef2b38d6a927d590cbceb6a8c3f4e278c41ce01d872925603603cd7d0bc0a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral8
Sample
7284e9e031d95f98bb1c673f3691adb26e5acc31e6d2c745b85bc97fc82edec7.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
781c022afdd03ecc97a7195986c14b7a81fc5a02d1b0e8c7561a1a1ff3406754.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral10
Sample
84163f9b0d959067de44eac4cb117f34b55119476a35c8291d0be25585618ea5.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
90251e43cdd68d8c070a8180eb78fdfc113d4e2ff40733af3a3332c51744eae4.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral12
Sample
9a3023ff334b34f4bea043eedeced95c41485b4799d3c2d56c0cb04b60143937.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
b4b999d8f3fb923a4d4cd17b173ba8474c698443430fdc63b8da6ad6eae57d50.exe
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
b4b999d8f3fb923a4d4cd17b173ba8474c698443430fdc63b8da6ad6eae57d50.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
bdd93956feba699c1eac73030a5ce8e55ae51fab4852062d8e46e8ed460a2b8b.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral16
Sample
cf840721c08fa286313bd7ac68fc5bac88559652036dfbdcc7b3c6f0cfa13d70.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
e52fb58b8a7d4f8b7eea558e3f50385d34e76f92baeede9698343046ba3273f1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral18
Sample
ecfbac56ff2c59238da4332d5cd1561d05a08ac0d65b57b9caf329f063fc939e.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral19
Sample
f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral20
Sample
f921df4c23777a797ffd956196cd2ea4805eaf3eefcc839de781c7e6af836f0d.exe
Resource
win10v2004-20240508-en
General
-
Target
f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe
-
Size
1.4MB
-
MD5
765269c9a1ce5e07ed722e4dc399903e
-
SHA1
2ac7ccffbcc8b3ba9356530dc3f39602ac73a08f
-
SHA256
f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a
-
SHA512
10d029f8bb12c86e10f24a82f40de263990ae482daba9f5832d5a241affb3b83eeb3334f2ae6a89a0d3e20375666e77d06d0f71ab31171bc739eca86033e8177
-
SSDEEP
24576:Yy5JBuqqev8GvUk7jT755577FaovivYSM5rJaf8VZ9+Xq8DTFfdOuBbvS+ashD:f5JBsev8Gv9nxYotVJtVSvhdO8p
Malware Config
Extracted
redline
grome
77.91.124.86:19084
Extracted
amadey
3.89
04d170
http://77.91.124.1
-
install_dir
fefffe8cea
-
install_file
explothe.exe
-
strings_key
36a96139c1118a354edf72b1080d4b2f
-
url_paths
/theme/index.php
Signatures
-
Detect Mystic stealer payload 4 IoCs
resource yara_rule behavioral19/memory/5032-39-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral19/memory/5032-40-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral19/memory/5032-42-0x0000000000400000-0x0000000000434000-memory.dmp mystic_family behavioral19/files/0x0007000000023537-69.dat mystic_family -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" AppLaunch.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" AppLaunch.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" AppLaunch.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
resource yara_rule behavioral19/memory/2988-51-0x0000000000400000-0x000000000043E000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 5VO4Af9.exe Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation explothe.exe -
Executes dropped EXE 13 IoCs
pid Process 5004 xx5PY70.exe 2476 tt4vL61.exe 2124 Mc7aA33.exe 1620 In6AX00.exe 4920 1pQ78ST5.exe 4660 2vH3769.exe 4532 3eU59rb.exe 2656 4Lp952Pp.exe 1612 5VO4Af9.exe 232 explothe.exe 1304 6ft4OK5.exe 3088 explothe.exe 3820 explothe.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" xx5PY70.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" tt4vL61.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" Mc7aA33.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" In6AX00.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4920 set thread context of 1408 4920 1pQ78ST5.exe 96 PID 4660 set thread context of 5032 4660 2vH3769.exe 100 PID 2656 set thread context of 2988 2656 4Lp952Pp.exe 113 -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1304 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3eU59rb.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3eU59rb.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 3eU59rb.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 4468 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1408 AppLaunch.exe 1408 AppLaunch.exe 1408 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1408 AppLaunch.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2664 wrote to memory of 5004 2664 f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe 91 PID 2664 wrote to memory of 5004 2664 f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe 91 PID 2664 wrote to memory of 5004 2664 f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe 91 PID 5004 wrote to memory of 2476 5004 xx5PY70.exe 92 PID 5004 wrote to memory of 2476 5004 xx5PY70.exe 92 PID 5004 wrote to memory of 2476 5004 xx5PY70.exe 92 PID 2476 wrote to memory of 2124 2476 tt4vL61.exe 93 PID 2476 wrote to memory of 2124 2476 tt4vL61.exe 93 PID 2476 wrote to memory of 2124 2476 tt4vL61.exe 93 PID 2124 wrote to memory of 1620 2124 Mc7aA33.exe 94 PID 2124 wrote to memory of 1620 2124 Mc7aA33.exe 94 PID 2124 wrote to memory of 1620 2124 Mc7aA33.exe 94 PID 1620 wrote to memory of 4920 1620 In6AX00.exe 95 PID 1620 wrote to memory of 4920 1620 In6AX00.exe 95 PID 1620 wrote to memory of 4920 1620 In6AX00.exe 95 PID 4920 wrote to memory of 1408 4920 1pQ78ST5.exe 96 PID 4920 wrote to memory of 1408 4920 1pQ78ST5.exe 96 PID 4920 wrote to memory of 1408 4920 1pQ78ST5.exe 96 PID 4920 wrote to memory of 1408 4920 1pQ78ST5.exe 96 PID 4920 wrote to memory of 1408 4920 1pQ78ST5.exe 96 PID 4920 wrote to memory of 1408 4920 1pQ78ST5.exe 96 PID 4920 wrote to memory of 1408 4920 1pQ78ST5.exe 96 PID 4920 wrote to memory of 1408 4920 1pQ78ST5.exe 96 PID 1620 wrote to memory of 4660 1620 In6AX00.exe 97 PID 1620 wrote to memory of 4660 1620 In6AX00.exe 97 PID 1620 wrote to memory of 4660 1620 In6AX00.exe 97 PID 4660 wrote to memory of 5032 4660 2vH3769.exe 100 PID 4660 wrote to memory of 5032 4660 2vH3769.exe 100 PID 4660 wrote to memory of 5032 4660 2vH3769.exe 100 PID 4660 wrote to memory of 5032 4660 2vH3769.exe 100 PID 4660 wrote to memory of 5032 4660 2vH3769.exe 100 PID 4660 wrote to memory of 5032 4660 2vH3769.exe 100 PID 4660 wrote to memory of 5032 4660 2vH3769.exe 100 PID 4660 wrote to memory of 5032 4660 2vH3769.exe 100 PID 4660 wrote to memory of 5032 4660 2vH3769.exe 100 PID 4660 wrote to memory of 5032 4660 2vH3769.exe 100 PID 2124 wrote to memory of 4532 2124 Mc7aA33.exe 101 PID 2124 wrote to memory of 4532 2124 Mc7aA33.exe 101 PID 2124 wrote to memory of 4532 2124 Mc7aA33.exe 101 PID 2476 wrote to memory of 2656 2476 tt4vL61.exe 112 PID 2476 wrote to memory of 2656 2476 tt4vL61.exe 112 PID 2476 wrote to memory of 2656 2476 tt4vL61.exe 112 PID 2656 wrote to memory of 2988 2656 4Lp952Pp.exe 113 PID 2656 wrote to memory of 2988 2656 4Lp952Pp.exe 113 PID 2656 wrote to memory of 2988 2656 4Lp952Pp.exe 113 PID 2656 wrote to memory of 2988 2656 4Lp952Pp.exe 113 PID 2656 wrote to memory of 2988 2656 4Lp952Pp.exe 113 PID 2656 wrote to memory of 2988 2656 4Lp952Pp.exe 113 PID 2656 wrote to memory of 2988 2656 4Lp952Pp.exe 113 PID 2656 wrote to memory of 2988 2656 4Lp952Pp.exe 113 PID 5004 wrote to memory of 1612 5004 xx5PY70.exe 114 PID 5004 wrote to memory of 1612 5004 xx5PY70.exe 114 PID 5004 wrote to memory of 1612 5004 xx5PY70.exe 114 PID 1612 wrote to memory of 232 1612 5VO4Af9.exe 115 PID 1612 wrote to memory of 232 1612 5VO4Af9.exe 115 PID 1612 wrote to memory of 232 1612 5VO4Af9.exe 115 PID 2664 wrote to memory of 1304 2664 f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe 116 PID 2664 wrote to memory of 1304 2664 f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe 116 PID 2664 wrote to memory of 1304 2664 f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe 116 PID 232 wrote to memory of 4468 232 explothe.exe 117 PID 232 wrote to memory of 4468 232 explothe.exe 117 PID 232 wrote to memory of 4468 232 explothe.exe 117 PID 232 wrote to memory of 1488 232 explothe.exe 119 PID 232 wrote to memory of 1488 232 explothe.exe 119
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe"C:\Users\Admin\AppData\Local\Temp\f0f492b9b0439f9df9e575d91555b387484582434a05ee11e543b6cd24ed979a.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xx5PY70.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\xx5PY70.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tt4vL61.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\tt4vL61.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mc7aA33.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Mc7aA33.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\In6AX00.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\In6AX00.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pQ78ST5.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\1pQ78ST5.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4920 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵
- Modifies Windows Defender Real-time Protection settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vH3769.exeC:\Users\Admin\AppData\Local\Temp\IXP004.TMP\2vH3769.exe6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4660 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"7⤵PID:5032
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3eU59rb.exeC:\Users\Admin\AppData\Local\Temp\IXP003.TMP\3eU59rb.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4532
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Lp952Pp.exeC:\Users\Admin\AppData\Local\Temp\IXP002.TMP\4Lp952Pp.exe4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"5⤵PID:2988
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5VO4Af9.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\5VO4Af9.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F5⤵
- Creates scheduled task(s)
PID:4468
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit5⤵PID:1488
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:4092
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:N"6⤵PID:2260
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "explothe.exe" /P "Admin:R" /E6⤵PID:2808
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"6⤵PID:3656
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:N"6⤵PID:4896
-
-
C:\Windows\SysWOW64\cacls.exeCACLS "..\fefffe8cea" /P "Admin:R" /E6⤵PID:1260
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ft4OK5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\6ft4OK5.exe2⤵
- Executes dropped EXE
PID:1304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4136,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:81⤵PID:4564
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:3088
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start wuauserv1⤵
- Launches sc.exe
PID:1304
-
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exeC:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe1⤵
- Executes dropped EXE
PID:3820
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD5916851e072fbabc4796d8916c5131092
SHA1d48a602229a690c512d5fdaf4c8d77547a88e7a2
SHA2567e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d
SHA51207ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521
-
Filesize
183KB
MD51e57c2a7b987ae92dc21c50746b37063
SHA1a07d908ac7deac366e385d34f68be772b43d37d2
SHA2562249197c31828fc399259ec0264df1eec433a0294253b121616c265b9bcb198b
SHA5126a9b2b2539cccb4cfd5f34fc14d0affd2fd07ed3ccdd77070558220e376fee0a6d5b6a7729fcd6d66479c15a27f4855b138b1a20c1b4ac29bac6d5d038e0b024
-
Filesize
1.2MB
MD5e0be10a970dd14a2b36f2a78ec016e77
SHA102d5e7a9848fee617e050e0e084a29a46b4a7753
SHA256ec14ebb568f1b427ca18c55a3ded58e7ece7fc04dfdf52f943b261462ef09d7f
SHA51271d2fe30c63ee6b970ada325d1e625be3f651bd62e135e8ee534f68c7804f70dbeb845c65dc9265b884e397de149b571d10ee09c675669655a6b51f56aafa32d
-
Filesize
220KB
MD5267aebc6b564cd5af7176af505128ff2
SHA196f7ddd98321e73ebb335c78c18628c741b53e2a
SHA256f5aa7480889a53eca382a8947c97744fe962f85b9c7bd459bb60303f0aa3078e
SHA51202814af6d3a642a6766f5a2f73ccf31d009136ef0293918295d2225997ae2591a37b58937493ec9ddc444b07c0d5897aaa46a3cec1376de0cc951a874c5e005b
-
Filesize
1.0MB
MD52076fb09414ce6b15a91abac6b9d713d
SHA186ed72e68643b4e01858963e6629f57d496e457e
SHA256d2d765359eea2bf052f66dbfa72d09d07d9c25706ab8b7aaede6d7ba2c0b950e
SHA512b93d77e74115cfb17c41722eb4b57518fdd7ef823a3a49add5dcbf36baddab28680eebae52d4a011ee8061b08e3f576257ab1700cee798e19519bcc1311c8625
-
Filesize
1.1MB
MD5d39396a7641565604dd201364366363f
SHA16e6b19540ef9fd1915979b0341783d75f0d0f636
SHA256a6a915a0a1028bc8cea33ad7833c2272e0ea338af665c1a7b482694f559575d8
SHA512cdf8e08f1f303b46a9e0cae370b0175984e0cfa306540769a3650dad17b4c738c20f96ea54f6994dbad8d9ea7bb40770ddc818ad96e9f1b69a91dd11ebe4027a
-
Filesize
649KB
MD5229764350bd0f115b9300418e2818442
SHA110c0666dacd0df74247a192fbd8118e42f1ab59d
SHA2561a8dcb10952146e24b7a3a8777f2aca61a4651d05289bcce5663e6263d8aa81e
SHA51250dafb4682a7b939232fda03788df2c7468b0bcc777cb91bc34628d529a93ae81ff4081f67171c96865fe80be09d0fbe438cc01cd5267473edf80d549a35c1d3
-
Filesize
30KB
MD5b37d14cd53de80da8e09dbce04144c3a
SHA13ea89612a5be9715be23195df46d42d4ac2393bb
SHA256ccb7f4a6e87a5ef30a3c814ab4c3db456bbddba8599363205f10e4086ee2fd8c
SHA512da1321527200db70c9f8e29d30b56d3fa5496de9f373716b1a5d4c3afcaf66418efd246dcfba9a9b8bd599b541e9b9ebfeaa6a9fd8a962865026d9f407be4d09
-
Filesize
525KB
MD58ab913cd17013811739bc097603445cb
SHA122912bcc7381043546852855e95d0f4f38497293
SHA256e66ed5a6933023063c381bcfabcebb8bf76a7e996a329477de6742209e1af291
SHA512b5a419b53b1bc7f8d61bef0ae0415e356b647208b3a3d25e06b103885ae073558fb205407fcc9e38cef2148b2be8047750dec97ee836be789437e98ca7638caf
-
Filesize
878KB
MD59489b609e0a08e64019d65a0d382c550
SHA11f3d23bfd30faabccdc238a4af4e5c5bc69314a3
SHA256c5b92358c3c05791c95917eb70d9fd3237d04049217cbea1a34bb3bd23ac1697
SHA51212479d3b2d9c365216426ff840f457e1dfce30dc53e3395f2d0fedf6bace1096fdc44ed3270820335df141dee686eb241c606952b4a9b392cfa59a7d45c42e87
-
Filesize
1.1MB
MD5b1ae64c6acaf51c622ba1fb096fc194c
SHA10cb0e620a31965da93ce01a7fb4cacbf6827843f
SHA256d5c4ccf9a7ada40adfcb554052654ee8c83ce6083ff676b1b5c7a66d15e2317a
SHA512ad54ec80a5d695a8e1da70d7b863b349c6dfd117b67ffb33fd74c7897a93f16a4f9add246daaeedd41b0fa132a4b66b09c8c5ef605735372f5885880bafe21d4