plugx | 46e99e70a21a9ecd28e61195f175bea9260eea38b1718f6750166688d955e91e

Analysis

max time kernel
4s
max time network
82s
platform
windows10_x64
resource
win10v20210410
submitted
27-05-2021 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15CC8191E7728032CDABE71FAC938139.exe
Size

3.9MB
MD5

15cc8191e7728032cdabe71fac938139
SHA1

1b23c3637e4ddb26115bd9152525d15b4af73a36
SHA256

46e99e70a21a9ecd28e61195f175bea9260eea38b1718f6750166688d955e91e
SHA512

c5a77d8d0a94785f2715d023584bc024305326baac85539e3cb53b0ad319da35401a9affd745d4248789970f737fafd3bdf7e059624fe3b61347fb0314cc00f8

Score

10^/10

plugx redline smokeloader aspackv2 backdoor infostealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://20xbtc.com/upload/

http://yzsnw.com/upload/

http://kaledebiyat.com/upload/

http://expertizizmir.com/upload/

http://dedkndy.com/upload/

http://theuncu.com/upload/

rc4.i32

Signatures

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral2/memory/5536-338-0x000000000041698A-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x000100000001ab77-115.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab77-116.dat	aspack_v212_v242
behavioral2/files/0x000200000001ab68-119.dat	aspack_v212_v242
behavioral2/files/0x000200000001ab67-120.dat	aspack_v212_v242
behavioral2/files/0x000200000001ab68-122.dat	aspack_v212_v242
behavioral2/files/0x000200000001ab67-121.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab6d-124.dat	aspack_v212_v242
behavioral2/files/0x000100000001ab6d-125.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
1788	setup_install.exe
360	metina_1.exe
3408	metina_3.exe
2072	metina_5.exe
3660	metina_4.exe
2144	metina_2.exe
4104	metina_6.exe
4172	FNaHqxLJoVZAeSmvWEiyM7mp.exe
4224	metina_7.exe
4240	metina_8.exe
4332	jfiag3g_gg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000001ab7f-187.dat	upx
behavioral2/files/0x000100000001ab7f-186.dat	upx
behavioral2/files/0x000100000001aba2-308.dat	upx
behavioral2/files/0x000100000001aba2-306.dat	upx

Loads dropped DLL 8 IoCs

pid	Process
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
1788	setup_install.exe
4172	FNaHqxLJoVZAeSmvWEiyM7mp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com
64	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 7 IoCs

pid	pid_target	Process	procid_target
4788	5060	WerFault.exe	108
6112	5060	WerFault.exe	108
2240	5060	WerFault.exe	108
732	5060	WerFault.exe	108
3084	5060	WerFault.exe	108
6224	5772	WerFault.exe	133
6416	5772	WerFault.exe	133

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
5152	schtasks.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5028	PING.EXE
4484	PING.EXE

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 1788	2204	15CC8191E7728032CDABE71FAC938139.exe	74
PID 2204 wrote to memory of 1788	2204	15CC8191E7728032CDABE71FAC938139.exe	74
PID 2204 wrote to memory of 1788	2204	15CC8191E7728032CDABE71FAC938139.exe	74
PID 1788 wrote to memory of 4036	1788	setup_install.exe	79
PID 1788 wrote to memory of 4036	1788	setup_install.exe	79
PID 1788 wrote to memory of 4036	1788	setup_install.exe	79
PID 1788 wrote to memory of 2068	1788	setup_install.exe	80
PID 1788 wrote to memory of 2068	1788	setup_install.exe	80
PID 1788 wrote to memory of 2068	1788	setup_install.exe	80
PID 1788 wrote to memory of 1036	1788	setup_install.exe	81
PID 1788 wrote to memory of 1036	1788	setup_install.exe	81
PID 1788 wrote to memory of 1036	1788	setup_install.exe	81
PID 1788 wrote to memory of 1408	1788	setup_install.exe	82
PID 1788 wrote to memory of 1408	1788	setup_install.exe	82
PID 1788 wrote to memory of 1408	1788	setup_install.exe	82
PID 1788 wrote to memory of 3180	1788	setup_install.exe	83
PID 1788 wrote to memory of 3180	1788	setup_install.exe	83
PID 1788 wrote to memory of 3180	1788	setup_install.exe	83
PID 1788 wrote to memory of 4060	1788	setup_install.exe	86
PID 1788 wrote to memory of 4060	1788	setup_install.exe	86
PID 1788 wrote to memory of 4060	1788	setup_install.exe	86
PID 1788 wrote to memory of 2444	1788	setup_install.exe	84
PID 1788 wrote to memory of 2444	1788	setup_install.exe	84
PID 1788 wrote to memory of 2444	1788	setup_install.exe	84
PID 1788 wrote to memory of 3588	1788	setup_install.exe	85
PID 1788 wrote to memory of 3588	1788	setup_install.exe	85
PID 1788 wrote to memory of 3588	1788	setup_install.exe	85
PID 4036 wrote to memory of 360	4036	cmd.exe	87
PID 4036 wrote to memory of 360	4036	cmd.exe	87
PID 4036 wrote to memory of 360	4036	cmd.exe	87
PID 1788 wrote to memory of 3944	1788	setup_install.exe	88
PID 1788 wrote to memory of 3944	1788	setup_install.exe	88
PID 1788 wrote to memory of 3944	1788	setup_install.exe	88
PID 1788 wrote to memory of 4008	1788	setup_install.exe	95
PID 1788 wrote to memory of 4008	1788	setup_install.exe	95
PID 1788 wrote to memory of 4008	1788	setup_install.exe	95
PID 1036 wrote to memory of 3408	1036	cmd.exe	94
PID 1036 wrote to memory of 3408	1036	cmd.exe	94
PID 1036 wrote to memory of 3408	1036	cmd.exe	94
PID 1408 wrote to memory of 3660	1408	cmd.exe	93
PID 1408 wrote to memory of 3660	1408	cmd.exe	93
PID 1408 wrote to memory of 3660	1408	cmd.exe	93
PID 3180 wrote to memory of 2072	3180	cmd.exe	89
PID 3180 wrote to memory of 2072	3180	cmd.exe	89
PID 3180 wrote to memory of 2072	3180	cmd.exe	89
PID 2068 wrote to memory of 2144	2068	cmd.exe	90
PID 2068 wrote to memory of 2144	2068	cmd.exe	90
PID 2068 wrote to memory of 2144	2068	cmd.exe	90
PID 4060 wrote to memory of 4104	4060	cmd.exe	92
PID 4060 wrote to memory of 4104	4060	cmd.exe	92
PID 2072 wrote to memory of 4172	2072	metina_5.exe	91
PID 2072 wrote to memory of 4172	2072	metina_5.exe	91
PID 2072 wrote to memory of 4172	2072	metina_5.exe	91
PID 2444 wrote to memory of 4224	2444	cmd.exe	98
PID 2444 wrote to memory of 4224	2444	cmd.exe	98
PID 3588 wrote to memory of 4240	3588	cmd.exe	96
PID 3588 wrote to memory of 4240	3588	cmd.exe	96
PID 3588 wrote to memory of 4240	3588	cmd.exe	96
PID 3660 wrote to memory of 4332	3660	metina_4.exe	97
PID 3660 wrote to memory of 4332	3660	metina_4.exe	97
PID 3660 wrote to memory of 4332	3660	metina_4.exe	97

C:\Users\Admin\AppData\Local\Temp\15CC8191E7728032CDABE71FAC938139.exe
"C:\Users\Admin\AppData\Local\Temp\15CC8191E7728032CDABE71FAC938139.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\7zSC9897034\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSC9897034\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_1.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\7zSC9897034\metina_1.exe
      metina_1.exe
      4⤵
      Executes dropped EXE
      PID:360
    - - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd
        5⤵
        
        PID:4516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_2.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Users\Admin\AppData\Local\Temp\7zSC9897034\metina_2.exe
      metina_2.exe
      4⤵
      Executes dropped EXE
      PID:2144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_3.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1036
  - - C:\Users\Admin\AppData\Local\Temp\7zSC9897034\metina_3.exe
      metina_3.exe
      4⤵
      Executes dropped EXE
      PID:3408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_4.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Users\Admin\AppData\Local\Temp\7zSC9897034\metina_4.exe
      metina_4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        Executes dropped EXE
        
        PID:4332
    - - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        5⤵
        
        PID:5028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_5.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Users\Admin\AppData\Local\Temp\7zSC9897034\metina_5.exe
      metina_5.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2072
    - - C:\Users\Admin\AppData\Local\Temp\is-7F6VT.tmp\metina_5.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-7F6VT.tmp\metina_5.tmp" /SL5="$50084,140518,56832,C:\Users\Admin\AppData\Local\Temp\7zSC9897034\metina_5.exe"
        5⤵
        
        PID:4172
      - C:\Users\Admin\AppData\Local\Temp\is-2QGUU.tmp\_____Zi____DanE______10.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-2QGUU.tmp\_____Zi____DanE______10.exe" /S /UID=burnerch3
        6⤵
        
        PID:4688
        
        C:\Program Files\Windows Mail\MEKXSDUABT\ultramediaburner.exe
        
        "C:\Program Files\Windows Mail\MEKXSDUABT\ultramediaburner.exe" /VERYSILENT
        7⤵
        
        PID:5656
        
        C:\Users\Admin\AppData\Local\Temp\is-QOT18.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-QOT18.tmp\ultramediaburner.tmp" /SL5="$4004A,281924,62464,C:\Program Files\Windows Mail\MEKXSDUABT\ultramediaburner.exe" /VERYSILENT
        8⤵
        
        PID:5724
        
        C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        9⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\cf-d27d8-54b-16b84-451a438cf65ec\Jixaevaexiry.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cf-d27d8-54b-16b84-451a438cf65ec\Jixaevaexiry.exe"
        7⤵
        
        PID:5756
        
        C:\Users\Admin\AppData\Local\Temp\a4-034da-d5b-f50bc-6e5fc384e746d\ZHiwaewutipo.exe
        
        "C:\Users\Admin\AppData\Local\Temp\a4-034da-d5b-f50bc-6e5fc384e746d\ZHiwaewutipo.exe"
        7⤵
        
        PID:5916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\tcjgx0au.bls\001.exe & exit
        8⤵
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\tcjgx0au.bls\001.exe
        
        C:\Users\Admin\AppData\Local\Temp\tcjgx0au.bls\001.exe
        9⤵
        
        PID:4368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\sgbzu2je.zzm\installer.exe /qn CAMPAIGN="654" & exit
        8⤵
        
        PID:6380
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Users\Admin\AppData\Local\Temp\7zSC9897034\metina_7.exe
      metina_7.exe
      4⤵
      Executes dropped EXE
      PID:4224
    - - C:\Users\Admin\AppData\Roaming\Oe1jUxs3LaF7gIQV726Kpi6X.exe
        
        "C:\Users\Admin\AppData\Roaming\Oe1jUxs3LaF7gIQV726Kpi6X.exe"
        5⤵
        
        PID:5060
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 656
        6⤵
        Program crash
        
        PID:4788
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 668
        6⤵
        Program crash
        
        PID:6112
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 768
        6⤵
        Program crash
        
        PID:2240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 812
        6⤵
        Program crash
        
        PID:732
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 1072
        6⤵
        Program crash
        
        PID:3084
    - - C:\Users\Admin\AppData\Roaming\m5CIKHiHkutkTHVKin2u5Usw.exe
        
        "C:\Users\Admin\AppData\Roaming\m5CIKHiHkutkTHVKin2u5Usw.exe"
        5⤵
        
        PID:1072
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AddInProcess32.exe
        6⤵
        
        PID:5536
    - - C:\Users\Admin\AppData\Roaming\COfyRK3ziiW5e8ZvIupFQUFe.exe
        
        "C:\Users\Admin\AppData\Roaming\COfyRK3ziiW5e8ZvIupFQUFe.exe"
        5⤵
        
        PID:3860
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:5440
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:4652
    - - C:\Users\Admin\AppData\Roaming\niU3E9vHOEwqzXpcpJoRTe39.exe
        
        "C:\Users\Admin\AppData\Roaming\niU3E9vHOEwqzXpcpJoRTe39.exe"
        5⤵
        
        PID:4540
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\niU3E9vHOEwqzXpcpJoRTe39.exe"
        6⤵
        
        PID:5740
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 1 -w 3000
        7⤵
        Runs ping.exe
        
        PID:5028
    - - C:\Users\Admin\AppData\Roaming\69chhdBqhdZpGGyQB9SaKE2Q.exe
        
        "C:\Users\Admin\AppData\Roaming\69chhdBqhdZpGGyQB9SaKE2Q.exe"
        5⤵
        
        PID:3984
    - - C:\Users\Admin\AppData\Roaming\SxCy5UL7mi9M0pZY84znMKi8.exe
        
        "C:\Users\Admin\AppData\Roaming\SxCy5UL7mi9M0pZY84znMKi8.exe"
        5⤵
        
        PID:3880
    - - C:\Users\Admin\AppData\Roaming\eEecfdrrIALsz9vixOqZMt6v.exe
        
        "C:\Users\Admin\AppData\Roaming\eEecfdrrIALsz9vixOqZMt6v.exe"
        5⤵
        
        PID:4516
      - C:\Program Files (x86)\Company\NewProduct\file4.exe
        
        "C:\Program Files (x86)\Company\NewProduct\file4.exe"
        6⤵
        
        PID:5804
      - C:\Program Files (x86)\Company\NewProduct\runme.exe
        
        "C:\Program Files (x86)\Company\NewProduct\runme.exe"
        6⤵
        
        PID:5772
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 656
        7⤵
        Program crash
        
        PID:6224
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5772 -s 672
        7⤵
        Program crash
        
        PID:6416
      - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        6⤵
        
        PID:5960
      - C:\Program Files (x86)\Company\NewProduct\lij.exe
        
        "C:\Program Files (x86)\Company\NewProduct\lij.exe"
        6⤵
        
        PID:5888
    - - C:\Users\Admin\AppData\Roaming\Wz1f0hTZ8xpWyJsdQTzKOs9i.exe
        
        "C:\Users\Admin\AppData\Roaming\Wz1f0hTZ8xpWyJsdQTzKOs9i.exe"
        5⤵
        
        PID:4392
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\49579.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\49579.exe"
        6⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\dfrgui.exe
        
        "C:\Windows\system32\dfrgui.exe"
        7⤵
        
        PID:5944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /create /sc minute /mo 5 /tn "Update" /tr "%SYSTEMDRIVE%\Users\%USERNAME%\AppData\Local\zz%USERNAME%\%USERNAME%.vbs" /F
        8⤵
        Creates scheduled task(s)
        
        PID:5152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\del.bat
        6⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping localhost -n 3
        7⤵
        Runs ping.exe
        
        PID:4484
    - - C:\Users\Admin\AppData\Roaming\FNaHqxLJoVZAeSmvWEiyM7mp.exe
        
        "C:\Users\Admin\AppData\Roaming\FNaHqxLJoVZAeSmvWEiyM7mp.exe"
        5⤵
        
        PID:4064
      - C:\Users\Admin\AppData\Roaming\FNaHqxLJoVZAeSmvWEiyM7mp.exe
        
        "C:\Users\Admin\AppData\Roaming\FNaHqxLJoVZAeSmvWEiyM7mp.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4172
    - - C:\Users\Admin\AppData\Roaming\DN9K3IFmBAb1bokALPrR1bBr.exe
        
        "C:\Users\Admin\AppData\Roaming\DN9K3IFmBAb1bokALPrR1bBr.exe"
        5⤵
        
        PID:5288
      - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",setpwd
        6⤵
        
        PID:6340
    - - C:\Users\Admin\AppData\Roaming\KoqlF5ZGpF7Mcry22o86pTu9.exe
        
        "C:\Users\Admin\AppData\Roaming\KoqlF5ZGpF7Mcry22o86pTu9.exe"
        5⤵
        
        PID:2420
    - - C:\Users\Admin\AppData\Roaming\XFeExexvItXRCkBUyBDekvDe.exe
        
        "C:\Users\Admin\AppData\Roaming\XFeExexvItXRCkBUyBDekvDe.exe"
        5⤵
        
        PID:5012
      - C:\Users\Admin\AppData\Roaming\6161384.exe
        
        "C:\Users\Admin\AppData\Roaming\6161384.exe"
        6⤵
        
        PID:4948
      - C:\Users\Admin\AppData\Roaming\5839826.exe
        
        "C:\Users\Admin\AppData\Roaming\5839826.exe"
        6⤵
        
        PID:5608
      - C:\Users\Admin\AppData\Roaming\3196111.exe
        
        "C:\Users\Admin\AppData\Roaming\3196111.exe"
        6⤵
        
        PID:5788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_8.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Users\Admin\AppData\Local\Temp\7zSC9897034\metina_8.exe
      metina_8.exe
      4⤵
      Executes dropped EXE
      PID:4240
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Crack.exe"
        5⤵
        
        PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\PbOSetp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PbOSetp.exe"
        5⤵
        
        PID:4736
      - C:\Users\Admin\AppData\Roaming\2870539.exe
        
        "C:\Users\Admin\AppData\Roaming\2870539.exe"
        6⤵
        
        PID:5468
      - C:\Users\Admin\AppData\Roaming\1668308.exe
        
        "C:\Users\Admin\AppData\Roaming\1668308.exe"
        6⤵
        
        PID:5520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_6.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\7zSC9897034\metina_6.exe
      metina_6.exe
      4⤵
      Executes dropped EXE
      PID:4104
    - - C:\Users\Admin\AppData\Roaming\5871179.exe
        
        "C:\Users\Admin\AppData\Roaming\5871179.exe"
        5⤵
        
        PID:4972
    - - C:\Users\Admin\AppData\Roaming\4004354.exe
        
        "C:\Users\Admin\AppData\Roaming\4004354.exe"
        5⤵
        
        PID:5048
      - C:\ProgramData\Windows Host\Windows Host.exe
        
        "C:\ProgramData\Windows Host\Windows Host.exe"
        6⤵
        
        PID:5400
    - - C:\Users\Admin\AppData\Roaming\2250892.exe
        
        "C:\Users\Admin\AppData\Roaming\2250892.exe"
        5⤵
        
        PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_9.exe
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c metina_10.exe
    3⤵
    PID:4008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/344-282-0x00000224ACD70000-0x00000224ACDE0000-memory.dmp

Filesize
448KB

Download
memory/996-220-0x000001DC55270000-0x000001DC552E0000-memory.dmp

Filesize
448KB

Download
memory/1072-318-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1072-314-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/1112-268-0x0000019FE7160000-0x0000019FE71D0000-memory.dmp

Filesize
448KB

Download
memory/1164-277-0x0000021100500000-0x0000021100570000-memory.dmp

Filesize
448KB

Download
memory/1368-286-0x000001583B800000-0x000001583B870000-memory.dmp

Filesize
448KB

Download
memory/1380-253-0x00000193E1C80000-0x00000193E1CF0000-memory.dmp

Filesize
448KB

Download
memory/1788-133-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1788-135-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1788-134-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1788-132-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1788-131-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1788-129-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1788-136-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1788-130-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1924-265-0x000001F2A9EB0000-0x000001F2A9F20000-memory.dmp

Filesize
448KB

Download
memory/2072-164-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2144-332-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2144-328-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/2368-228-0x000001FB60400000-0x000001FB60470000-memory.dmp

Filesize
448KB

Download
memory/2380-248-0x0000024F7FC40000-0x0000024F7FCB0000-memory.dmp

Filesize
448KB

Download
memory/2604-209-0x000001CD00310000-0x000001CD00380000-memory.dmp

Filesize
448KB

Download
memory/2604-201-0x000001CD00230000-0x000001CD0027B000-memory.dmp

Filesize
300KB

Download
memory/2712-295-0x0000023DBEB40000-0x0000023DBEBB0000-memory.dmp

Filesize
448KB

Download
memory/2724-297-0x0000023132F10000-0x0000023132F80000-memory.dmp

Filesize
448KB

Download
memory/2820-227-0x0000024359300000-0x0000024359370000-memory.dmp

Filesize
448KB

Download
memory/3048-353-0x00000000012A0000-0x00000000012B6000-memory.dmp

Filesize
88KB

Download
memory/3408-329-0x00000000005F0000-0x000000000073A000-memory.dmp

Filesize
1.3MB

Download
memory/3408-331-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3984-330-0x00000000027A0000-0x00000000027A1000-memory.dmp

Filesize
4KB

Download
memory/4092-274-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/4092-285-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/4092-267-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/4092-293-0x0000000005730000-0x0000000005734000-memory.dmp

Filesize
16KB

Download
memory/4092-284-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/4092-288-0x0000000005820000-0x0000000005821000-memory.dmp

Filesize
4KB

Download
memory/4104-185-0x000000001B250000-0x000000001B252000-memory.dmp

Filesize
8KB

Download
memory/4104-180-0x0000000000CD0000-0x0000000000CED000-memory.dmp

Filesize
116KB

Download
memory/4104-169-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/4172-188-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4224-183-0x000000001B280000-0x000000001B282000-memory.dmp

Filesize
8KB

Download
memory/4224-175-0x00000000004D0000-0x00000000004D1000-memory.dmp

Filesize
4KB

Download
memory/4516-197-0x0000000004C92000-0x0000000004D93000-memory.dmp

Filesize
1.0MB

Download
memory/4516-198-0x0000000004AA0000-0x0000000004AFC000-memory.dmp

Filesize
368KB

Download
memory/4636-217-0x000001A8D5500000-0x000001A8D5570000-memory.dmp

Filesize
448KB

Download
memory/4688-221-0x00000000016F0000-0x00000000016F2000-memory.dmp

Filesize
8KB

Download
memory/4736-252-0x000000001B2C0000-0x000000001B2C2000-memory.dmp

Filesize
8KB

Download
memory/4736-236-0x0000000000DB0000-0x0000000000DCD000-memory.dmp

Filesize
116KB

Download
memory/4736-223-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/4972-298-0x0000000007EA0000-0x0000000007EA1000-memory.dmp

Filesize
4KB

Download
memory/4972-246-0x0000000004AB0000-0x0000000004AB1000-memory.dmp

Filesize
4KB

Download
memory/4972-263-0x0000000004A80000-0x0000000004AAC000-memory.dmp

Filesize
176KB

Download
memory/4972-238-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/5012-315-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/5012-327-0x000000001BA00000-0x000000001BA02000-memory.dmp

Filesize
8KB

Download
memory/5048-270-0x000000000D7F0000-0x000000000D7F1000-memory.dmp

Filesize
4KB

Download
memory/5048-245-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/5048-255-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/5048-264-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

Filesize
64KB

Download
memory/5048-283-0x0000000000B80000-0x0000000000B81000-memory.dmp

Filesize
4KB

Download
memory/5048-266-0x000000000DC00000-0x000000000DC01000-memory.dmp

Filesize
4KB

Download
memory/5048-262-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/5400-339-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/5468-340-0x0000000004A10000-0x0000000004A11000-memory.dmp

Filesize
4KB

Download
memory/5520-342-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/5536-341-0x0000000005520000-0x0000000005B26000-memory.dmp

Filesize
6.0MB

Download
memory/5656-350-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5724-357-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/5756-360-0x00000000023A0000-0x00000000023A2000-memory.dmp

Filesize
8KB

Download
memory/5804-356-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/5804-359-0x0000000000430000-0x00000000004DE000-memory.dmp

Filesize
696KB

Download
memory/5916-364-0x00000000028A2000-0x00000000028A4000-memory.dmp

Filesize
8KB

Download
memory/5916-358-0x00000000028A0000-0x00000000028A2000-memory.dmp

Filesize
8KB

Download
memory/5944-363-0x0000000000930000-0x000000000093B000-memory.dmp

Filesize
44KB

Download
memory/6100-362-0x0000000002790000-0x0000000002792000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads