redline | 316352339068b73a707dfb3f7607a20570ebbfcf353c4ba3673f20020265f550

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6E24CD1CD545C6432990490BE68B605D.exe
Size

747KB
MD5

6e24cd1cd545c6432990490be68b605d
SHA1

f0ea3d92b704140b8a3d1c97c9926fdeadcd0507
SHA256

316352339068b73a707dfb3f7607a20570ebbfcf353c4ba3673f20020265f550
SHA512

daa00fef2d215614af516142f780fa04987f12337ccaae24a8c57260f5733eda23e9df146d66020fd5fedf50f96e999e5045dbd756da96a0cef25448e5de66c5
SSDEEP

12288:r5xWIar6twID63qyyiFGF8PJsoY+YtbP8LHujF/dA+wVwGDH+/fRRCr:1xt46tN63qicUJsoYtbMHSF/u+wSBRRi

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

185.222.58.234:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2060-55-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2060-53-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2060-51-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2060-48-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2060-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2060-55-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2060-53-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2060-51-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2060-48-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2060-46-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3044 powershell.exe
2524 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

PO.exePO.exePO.exe

pid process

2656 PO.exe
3052 PO.exe
2060 PO.exe
Loads dropped DLL 6 IoCs

Processes:

6E24CD1CD545C6432990490BE68B605D.exePO.exe

pid process

1760 6E24CD1CD545C6432990490BE68B605D.exe
1760 6E24CD1CD545C6432990490BE68B605D.exe
1760 6E24CD1CD545C6432990490BE68B605D.exe
1760 6E24CD1CD545C6432990490BE68B605D.exe
2656 PO.exe
2656 PO.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 2656 set thread context of 2060 2656 PO.exe PO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3044	powershell.exe
2524	powershell.exe

pid	process
2656	PO.exe
3052	PO.exe
2060	PO.exe

pid	process
1760	6E24CD1CD545C6432990490BE68B605D.exe
1760	6E24CD1CD545C6432990490BE68B605D.exe
1760	6E24CD1CD545C6432990490BE68B605D.exe
1760	6E24CD1CD545C6432990490BE68B605D.exe
2656	PO.exe
2656	PO.exe

description	pid	process	target process
PID 2656 set thread context of 2060	2656	PO.exe	PO.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

PO.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	PO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	PO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	PO.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2792 schtasks.exe
Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

PO.exepowershell.exepowershell.exePO.exe

pid process

2656 PO.exe
2656 PO.exe
2656 PO.exe
2656 PO.exe
2656 PO.exe
2656 PO.exe
3044 powershell.exe
2524 powershell.exe
2060 PO.exe
2060 PO.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO.exepowershell.exepowershell.exePO.exe

description pid process

Token: SeDebugPrivilege 2656 PO.exe
Token: SeDebugPrivilege 2524 powershell.exe
Token: SeDebugPrivilege 3044 powershell.exe
Token: SeDebugPrivilege 2060 PO.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1968 DllHost.exe

pid	process
2792	schtasks.exe

pid	process
2656	PO.exe
2656	PO.exe
2656	PO.exe
2656	PO.exe
2656	PO.exe
2656	PO.exe
3044	powershell.exe
2524	powershell.exe
2060	PO.exe
2060	PO.exe

description	pid	process
Token: SeDebugPrivilege	2656	PO.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2060	PO.exe

pid	process
1968	DllHost.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

6E24CD1CD545C6432990490BE68B605D.exePO.exe

description	pid	process	target process
PID 1760 wrote to memory of 2656	1760	6E24CD1CD545C6432990490BE68B605D.exe	PO.exe
PID 1760 wrote to memory of 2656	1760	6E24CD1CD545C6432990490BE68B605D.exe	PO.exe
PID 1760 wrote to memory of 2656	1760	6E24CD1CD545C6432990490BE68B605D.exe	PO.exe
PID 1760 wrote to memory of 2656	1760	6E24CD1CD545C6432990490BE68B605D.exe	PO.exe
PID 1760 wrote to memory of 2656	1760	6E24CD1CD545C6432990490BE68B605D.exe	PO.exe
PID 1760 wrote to memory of 2656	1760	6E24CD1CD545C6432990490BE68B605D.exe	PO.exe
PID 1760 wrote to memory of 2656	1760	6E24CD1CD545C6432990490BE68B605D.exe	PO.exe
PID 2656 wrote to memory of 2524	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 2524	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 2524	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 2524	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 2524	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 2524	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 2524	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 3044	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 3044	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 3044	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 3044	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 3044	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 3044	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 3044	2656	PO.exe	powershell.exe
PID 2656 wrote to memory of 2792	2656	PO.exe	schtasks.exe
PID 2656 wrote to memory of 2792	2656	PO.exe	schtasks.exe
PID 2656 wrote to memory of 2792	2656	PO.exe	schtasks.exe
PID 2656 wrote to memory of 2792	2656	PO.exe	schtasks.exe
PID 2656 wrote to memory of 2792	2656	PO.exe	schtasks.exe
PID 2656 wrote to memory of 2792	2656	PO.exe	schtasks.exe
PID 2656 wrote to memory of 2792	2656	PO.exe	schtasks.exe
PID 2656 wrote to memory of 3052	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 3052	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 3052	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 3052	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 3052	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 3052	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 3052	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe
PID 2656 wrote to memory of 2060	2656	PO.exe	PO.exe

C:\Users\Admin\AppData\Local\Temp\6E24CD1CD545C6432990490BE68B605D.exe
"C:\Users\Admin\AppData\Local\Temp\6E24CD1CD545C6432990490BE68B605D.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AqqPPBpChw.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AqqPPBpChw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6D73.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
PID:3052

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2060

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1968

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
265ee8b91556b1c8864f7e6499dd9355

SHA1
0262d053423c0789b30241e6db40d491ede5b683

SHA256
23f0ab2b1e34639d140126c20ac0d0dc04b1bfbf19d8f2925a79d11199d66331

SHA512
0cfa24281c75fedf19adb32d268c1f4f8b8cc9e7314c4f1256f7abbcc14e6482d9105334109b8f17fddf04edd29a7337e08b7ad178bca50fda438e84a28b3976

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab85C5.tmp
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
Filesize
831KB

MD5
fe315870e0fdef950aab636ca820aec1

SHA1
14b8956b5cce0f7540ab1a5706c968597554d0aa

SHA256
05b42d1c572bdd68f683251d4b81644f16cc24732ffda90ec77794310a104b70

SHA512
a7f47959681638f725dfbad05de827b4fb12082db4d9b277d019ae219ca0d0223cdb1a9b43540da7bfc679db2521577aaf1489f26c9f59ee7f20bc25f3a7f894

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
Filesize
48KB

MD5
e83ccb51ee74efd2a221be293d23c69a

SHA1
4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

SHA256
da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

SHA512
0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8664.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6D73.tmp
Filesize
1KB

MD5
d43fd5db73f386895e8686e59a925405

SHA1
05ee90279423e4d60aad22e4a3c23b8e7186693a

SHA256
de9b1adaeecac215aa617641d954028b28ca224050a347611f2a4a316bb5375c

SHA512
79252051bbed04eee5477c69ce3fb4cd2290e25e0fb2f07b7d66f26b3ac501fbe993e2cb1be99e3ff949ef0fe517522b0f58ace1c2291a7c9c639b3102da4553

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CF0.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8D05.tmp
Filesize
92KB

MD5
f5582ab8cd4909e3531c32d3a28f156e

SHA1
40402c9af7fcff602e5efb662a08a3577b019379

SHA256
da23680ac69b11618f023c43695198e3ab7ace6b831fd2e189d81d15aa333ad6

SHA512
1f1a3bf4b03621518013f064c777e56eb6594e53e39e589f7c274993cc188c3b800986a5d6b15131e64c3b76b74af7d68ef43ae29794db0b8e3ec9862382195f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
dc896a54495324b630aad1882c10deb6

SHA1
366a043eac79d4c921fbfff746c94ddaa1b2f94b

SHA256
cbc1f9ca7ce563b97abfd88c682061f264df5185a380da4c04284e124d2d76d4

SHA512
6a4eb81ab1df77ec883edcf159c253591359a4862a993b9aa612f20fc2bb4d296f0818aa2338528892ecac683b1d21a3de3602d313e255e734a5de057d34cede

Download Submit
memory/1760-4-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/1968-5-0x00000000000C0000-0x00000000000C2000-memory.dmp

Filesize
8KB

Download
memory/2060-46-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2060-44-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2060-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2060-53-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2060-51-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2060-50-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2060-48-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2060-42-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-26-0x0000000005130000-0x0000000005190000-memory.dmp

Filesize
384KB

Download
memory/2656-25-0x0000000004DF0000-0x0000000004E5E000-memory.dmp

Filesize
440KB

Download
memory/2656-24-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2656-23-0x00000000005C0000-0x00000000005C8000-memory.dmp

Filesize
32KB

Download
memory/2656-22-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2656-20-0x0000000000B50000-0x0000000000C22000-memory.dmp

Filesize
840KB

Download