redline | 4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe
Size

834KB
MD5

2a13bd0e8247f4e3b4b92e2248171ef6
SHA1

a5252c5b3aac0afda1fe76d1ec6339bb994ec9ce
SHA256

4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e
SHA512

d598ff6aa5bf9ad5a1e6fba0a2df72cc7e43589c7e77c753efc00ec4ab97131e4ffcc0289dc8339c881b95357328213bc6ac518f71e4118714e8ea87e8b3768e
SSDEEP

12288:bCf0rGLDrU1qBBuE+juhnS6/fRRCRdXcue9NNqo5TzIuYJhi9OKtqAOU80tZqoCh:bCdL4E+j8SmRRahe9NLr9ONAdy/IXi

Score

10^/10

redline sectoprat cheat discovery execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

cheat

185.222.58.70:55615

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2200-50-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2200-53-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2200-48-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2200-55-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2200-56-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2200-50-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2200-53-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2200-48-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2200-55-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat
behavioral1/memory/2200-56-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2200-50-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2200-53-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2200-48-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2200-55-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2200-56-0x0000000000400000-0x000000000041E000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables packed with SmartAssembly 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2576-24-0x0000000000350000-0x0000000000360000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly
behavioral1/memory/2576-25-0x0000000000370000-0x000000000037C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2460 powershell.exe
1212 powershell.exe
Executes dropped EXE 4 IoCs

Processes:

PO.exePO.exePO.exePO.exe

pid process

2576 PO.exe
760 PO.exe
2936 PO.exe
2200 PO.exe

pid	process
2460	powershell.exe
1212	powershell.exe

pid	process
2576	PO.exe
760	PO.exe
2936	PO.exe
2200	PO.exe

Loads dropped DLL 7 IoCs

Processes:

4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exePO.exe

pid	process
1216	4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe
1216	4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe
1216	4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe
1216	4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe
2576	PO.exe
2576	PO.exe
2576	PO.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO.exe

description pid process target process

PID 2576 set thread context of 2200 2576 PO.exe PO.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2576 set thread context of 2200	2576	PO.exe	PO.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

PO.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	PO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	PO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	PO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	PO.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2972 schtasks.exe
Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

PO.exepowershell.exepowershell.exePO.exe

pid process

2576 PO.exe
2576 PO.exe
2576 PO.exe
2576 PO.exe
2576 PO.exe
2576 PO.exe
2576 PO.exe
2576 PO.exe
2460 powershell.exe
1212 powershell.exe
2200 PO.exe
2200 PO.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PO.exepowershell.exepowershell.exePO.exe

description pid process

Token: SeDebugPrivilege 2576 PO.exe
Token: SeDebugPrivilege 1212 powershell.exe
Token: SeDebugPrivilege 2460 powershell.exe
Token: SeDebugPrivilege 2200 PO.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

1248 DllHost.exe

pid	process
2972	schtasks.exe

pid	process
2576	PO.exe
2576	PO.exe
2576	PO.exe
2576	PO.exe
2576	PO.exe
2576	PO.exe
2576	PO.exe
2576	PO.exe
2460	powershell.exe
1212	powershell.exe
2200	PO.exe
2200	PO.exe

description	pid	process
Token: SeDebugPrivilege	2576	PO.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	2200	PO.exe

pid	process
1248	DllHost.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exePO.exe

description	pid	process	target process
PID 1216 wrote to memory of 2576	1216	4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe	PO.exe
PID 1216 wrote to memory of 2576	1216	4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe	PO.exe
PID 1216 wrote to memory of 2576	1216	4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe	PO.exe
PID 1216 wrote to memory of 2576	1216	4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe	PO.exe
PID 2576 wrote to memory of 2460	2576	PO.exe	powershell.exe
PID 2576 wrote to memory of 2460	2576	PO.exe	powershell.exe
PID 2576 wrote to memory of 2460	2576	PO.exe	powershell.exe
PID 2576 wrote to memory of 2460	2576	PO.exe	powershell.exe
PID 2576 wrote to memory of 1212	2576	PO.exe	powershell.exe
PID 2576 wrote to memory of 1212	2576	PO.exe	powershell.exe
PID 2576 wrote to memory of 1212	2576	PO.exe	powershell.exe
PID 2576 wrote to memory of 1212	2576	PO.exe	powershell.exe
PID 2576 wrote to memory of 2972	2576	PO.exe	schtasks.exe
PID 2576 wrote to memory of 2972	2576	PO.exe	schtasks.exe
PID 2576 wrote to memory of 2972	2576	PO.exe	schtasks.exe
PID 2576 wrote to memory of 2972	2576	PO.exe	schtasks.exe
PID 2576 wrote to memory of 760	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 760	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 760	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 760	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2936	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2936	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2936	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2936	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2200	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2200	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2200	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2200	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2200	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2200	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2200	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2200	2576	PO.exe	PO.exe
PID 2576 wrote to memory of 2200	2576	PO.exe	PO.exe

C:\Users\Admin\AppData\Local\Temp\4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe
"C:\Users\Admin\AppData\Local\Temp\4968fd74d0eca2ecfb169c87dd8008181abe551ca91c7396c765fd67f588815e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KqWcrEQbkVyaIO.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KqWcrEQbkVyaIO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6558.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
PID:760

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
PID:2936

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe"
3⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1248

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9C32.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PO.jpg
Filesize
48KB

MD5
e83ccb51ee74efd2a221be293d23c69a

SHA1
4365ca564f7cdd7337cf0f83ac5fd64317fb4c32

SHA256
da931852a19a707d01c3edf138622b8601056c42525f8ac40cb48af43a7410cc

SHA512
0252e629fbdafdb66ff63ef76d18f25d1ca46ac3eff019f012361db45ebd34d1a7a9ad35f7a2fc5830676c771997633f3abf1dc3224bd8f6bd55456b0a554a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA138.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6558.tmp
Filesize
1KB

MD5
bdcec0933420116eb6e15b88013b438a

SHA1
6fb122f22183a48a44916bc60b5e2fb2061d9386

SHA256
34298f4eafed110eadabd456b4ac49c79c6726e16c8c2e8adc05eb367159fc10

SHA512
45249b0b2ac972aa2c64f4d5bd8e59947e4a32fec14259e6266b42c7ea996163a3c5e1a7f3c72998e879558022918ef0b66e67e3bb4ed924d2da9f9b0da9c8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA878.tmp
Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA88D.tmp
Filesize
92KB

MD5
cca646afddab881d02bb60864ff72e23

SHA1
25b462e62a0219857cc854f6433e8acea77e3dbc

SHA256
c7223e5de0b0db22b3e193b2d48215816c75472ccdf9330a0ab66d4731b2e49e

SHA512
c35da6cfe5e4a3f887a876b38b4e5b9e6d5c035cf8d6f20158f89ee14a196941fd6a29faa1f90f64cd253556536670773ec15cd358014d994483a8745c41587d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
f02169a6749ec8a26e34a26ca4fedd59

SHA1
81882fe5cbe01e62578eea24584839b4861b0e9c

SHA256
63beee4647d65d716aeff07a142be3f53081a735c11fd496f40c1b369c0208dd

SHA512
f47a484c6861997ffcb075eaacb2cf2d716f8a19843a562154a7bb6e06efab1670be719798b9be71eb778055a6dc41682fb1cbd24af52c64e2455ec7bace14a0

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\PO.exe
Filesize
589KB

MD5
26afbb9dcfc34b21455b5af126c1bf9e

SHA1
ed732bf6ed3fd98ec70d1ed3ebe7d44a00df582e

SHA256
9b19e722aed6ca589d2d433cdceaf462c2d30c26916a9b3bbab7e8ed8c1ed78e

SHA512
da99c06b0647687de9eafd12468dc0cb27896692b99d842cba7a63229904d82a7cc753552abe82734b8143b03d7ea9df166bf8d8e3a7784c77184e8c9bb9698f

Download Submit
memory/1216-4-0x0000000002280000-0x0000000002282000-memory.dmp

Filesize
8KB

Download
memory/1248-6-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1248-5-0x0000000000140000-0x0000000000142000-memory.dmp

Filesize
8KB

Download
memory/1248-57-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2200-55-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2200-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2200-48-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2200-45-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2200-46-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2200-53-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2200-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2200-50-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2576-26-0x00000000051C0000-0x0000000005220000-memory.dmp

Filesize
384KB

Download
memory/2576-25-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2576-24-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/2576-23-0x0000000004D80000-0x0000000004DF0000-memory.dmp

Filesize
448KB

Download
memory/2576-21-0x00000000002B0000-0x0000000000344000-memory.dmp

Filesize
592KB

Download