Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17-12-2024 04:58
Behavioral task
behavioral1
Sample
da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe
Resource
win10v2004-20241007-en
General
-
Target
da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe
-
Size
5.3MB
-
MD5
d4817ea043beaf35d19fa6a5adaa179c
-
SHA1
bf5c75100142731e737c04b55769c4479bef0c01
-
SHA256
da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d
-
SHA512
98d2f67523de2260cad45ce2b3f0e6edd5322ad4d2d78854983c3410398079f1a0dd3f8b3dc69d3e0f052c566de3eb89d1de9a086378f542b1a2096ce0730277
-
SSDEEP
98304:euP+GgrLRHeOxxsJFoQYVCkOTfOKfKQMZ8htPwCakmxrcTZcV+TQB:l+GgLRJghYckmmKfFMZqtMkicZcV2e
Malware Config
Extracted
redline
duc
159.223.34.114:1912
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" explorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x00070000000190ce-7.dat family_redline behavioral1/memory/2232-13-0x0000000000A60000-0x0000000000AB2000-memory.dmp family_redline -
Redline family
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ icsys.icn.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ explorer.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ spoolsv.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ svchost.exe -
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion explorer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion spoolsv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion icsys.icn.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion spoolsv.exe -
Executes dropped EXE 6 IoCs
pid Process 2232 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2300 icsys.icn.exe 2864 explorer.exe 2900 spoolsv.exe 2544 svchost.exe 2616 spoolsv.exe -
Loads dropped DLL 6 IoCs
pid Process 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2300 icsys.icn.exe 2864 explorer.exe 2900 spoolsv.exe 2544 svchost.exe -
resource yara_rule behavioral1/memory/2352-0-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2352-15-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/files/0x000700000001903b-18.dat themida behavioral1/memory/2300-24-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/files/0x001100000001866e-29.dat themida behavioral1/memory/2864-36-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/files/0x000a0000000191ff-43.dat themida behavioral1/memory/2864-45-0x0000000003C10000-0x00000000047F2000-memory.dmp themida behavioral1/files/0x0006000000019397-54.dat themida behavioral1/memory/2616-68-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2900-70-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2352-73-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2300-74-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2864-75-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2544-77-0x0000000000400000-0x0000000000FE2000-memory.dmp themida behavioral1/memory/2864-88-0x0000000000400000-0x0000000000FE2000-memory.dmp themida -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" explorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" explorer.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA explorer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA svchost.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA spoolsv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA icsys.icn.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\explorer.exe explorer.exe File opened for modification C:\Windows\SysWOW64\explorer.exe svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
pid Process 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2300 icsys.icn.exe 2864 explorer.exe 2900 spoolsv.exe 2544 svchost.exe 2616 spoolsv.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification \??\c:\windows\resources\themes\explorer.exe icsys.icn.exe File opened for modification \??\c:\windows\resources\spoolsv.exe explorer.exe File opened for modification \??\c:\windows\resources\svchost.exe spoolsv.exe File opened for modification C:\Windows\Resources\tjud.exe explorer.exe File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icsys.icn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language spoolsv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2836 schtasks.exe 2024 schtasks.exe 1392 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2864 explorer.exe 2900 spoolsv.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe 2544 svchost.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 2864 explorer.exe 2544 svchost.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 2300 icsys.icn.exe 2300 icsys.icn.exe 2864 explorer.exe 2864 explorer.exe 2900 spoolsv.exe 2900 spoolsv.exe 2544 svchost.exe 2544 svchost.exe 2616 spoolsv.exe 2616 spoolsv.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2232 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 31 PID 2352 wrote to memory of 2232 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 31 PID 2352 wrote to memory of 2232 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 31 PID 2352 wrote to memory of 2232 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 31 PID 2352 wrote to memory of 2300 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 32 PID 2352 wrote to memory of 2300 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 32 PID 2352 wrote to memory of 2300 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 32 PID 2352 wrote to memory of 2300 2352 da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe 32 PID 2300 wrote to memory of 2864 2300 icsys.icn.exe 33 PID 2300 wrote to memory of 2864 2300 icsys.icn.exe 33 PID 2300 wrote to memory of 2864 2300 icsys.icn.exe 33 PID 2300 wrote to memory of 2864 2300 icsys.icn.exe 33 PID 2864 wrote to memory of 2900 2864 explorer.exe 34 PID 2864 wrote to memory of 2900 2864 explorer.exe 34 PID 2864 wrote to memory of 2900 2864 explorer.exe 34 PID 2864 wrote to memory of 2900 2864 explorer.exe 34 PID 2900 wrote to memory of 2544 2900 spoolsv.exe 35 PID 2900 wrote to memory of 2544 2900 spoolsv.exe 35 PID 2900 wrote to memory of 2544 2900 spoolsv.exe 35 PID 2900 wrote to memory of 2544 2900 spoolsv.exe 35 PID 2544 wrote to memory of 2616 2544 svchost.exe 36 PID 2544 wrote to memory of 2616 2544 svchost.exe 36 PID 2544 wrote to memory of 2616 2544 svchost.exe 36 PID 2544 wrote to memory of 2616 2544 svchost.exe 36 PID 2864 wrote to memory of 3036 2864 explorer.exe 37 PID 2864 wrote to memory of 3036 2864 explorer.exe 37 PID 2864 wrote to memory of 3036 2864 explorer.exe 37 PID 2864 wrote to memory of 3036 2864 explorer.exe 37 PID 2544 wrote to memory of 2836 2544 svchost.exe 38 PID 2544 wrote to memory of 2836 2544 svchost.exe 38 PID 2544 wrote to memory of 2836 2544 svchost.exe 38 PID 2544 wrote to memory of 2836 2544 svchost.exe 38 PID 2544 wrote to memory of 2024 2544 svchost.exe 41 PID 2544 wrote to memory of 2024 2544 svchost.exe 41 PID 2544 wrote to memory of 2024 2544 svchost.exe 41 PID 2544 wrote to memory of 2024 2544 svchost.exe 41 PID 2544 wrote to memory of 1392 2544 svchost.exe 43 PID 2544 wrote to memory of 1392 2544 svchost.exe 43 PID 2544 wrote to memory of 1392 2544 svchost.exe 43 PID 2544 wrote to memory of 1392 2544 svchost.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe"C:\Users\Admin\AppData\Local\Temp\da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352 -
\??\c:\users\admin\appdata\local\temp\da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exec:\users\admin\appdata\local\temp\da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232
-
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2900 -
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:00 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2836
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:01 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2024
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:02 /f6⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:1392
-
-
-
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵PID:3036
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.6MB
MD53d60dce6ad3d8b98d742c07c6109fbb3
SHA136d42e87187cdd3852a1c5c54b277dcbda769322
SHA256574961a233e14c6a841a2209af9b1d1ed696509f73413d024cbd2623b9505ab0
SHA512c4362f91de59aaaa4286fba0bd4efc78e828990c33a30e796371eaf4c2e4b3482ea4fb0c4365c8963942a3b4c70f87480b369388238ded2033e1d284f4169b7b
-
\Users\Admin\AppData\Local\Temp\da5844b02ebfa56b4c036ea50136e7766922fa1591d344130f5492e5624fdf5d.exe
Filesize300KB
MD5c368cb0e4cc65cbdc012e449de37d973
SHA1ae04d634ff3078e1912dc71d44c893c1dd47c399
SHA25657a8157689acab60874b086408091b4369f3f5f9d62bcc306c9e77ff9f3c5b7e
SHA512e823a91ee1f8901ebc844d16ed1c585bd78fcf6fa143433649c1295f3724ddd29679949ec7b97485505b259e4ce7d012948f971451f0bde6b525cc915e3ed18a
-
Filesize
5.0MB
MD56a696257bd624ea0cdde713ff447b134
SHA1fa17806195d1fb5a2077a7d43827f58832d57c35
SHA256c2234864d3687f6eb397fc0fe4c81d2c54dbcf74161ab38b48a1150df753c573
SHA512b49ac9b20ab4f1c8b7793f1c007ee7985f9c11c0c5c67cf99436f22275efca504a20480a0d6cf52c793060eb78f090a66d33a5f37bffe678591b16a55d7d94ae
-
Filesize
5.6MB
MD59e778b2d16929b8bf63d3505cdb0eb55
SHA1d661151bcc93f6c104a9561416535dc940a745cb
SHA256d2bccf9b16ae95f10422c36ad4311183826e787cf7c5de07ccb0c830bb837558
SHA512689dea41ae7ac91298e91fc94438aafe3389ff66a93c16e75b648f1926e02a8e5da31606545d501759d2fa3d984b0d41a1da22b4206c0d1b9846cce5b97655a0
-
Filesize
5.6MB
MD59e6246624702ed52661a16c7e43fb646
SHA162a4d1f1ef452973eef11b8d91d8f32fc5eff30d
SHA2568e6ed3f2ca54a27b79695aef2e600ee1a64731da64031ff1ef5b28b89169d13f
SHA512b4fd941f6fe413239d3b4e3fcac56c642968385bfe7a494f475ec833f57a867eb14b3cef5ee8acf265ed306c97dacad6b3f474ccb88c8fb60cf1268c36cadd1d