redline | 885c540ea597bed7e1d4b8fd3670bc66e821368ba0df789c53a5fd2cb96ed33f

Analysis

max time kernel
18s
max time network
187s
platform
windows7_x64
resource
win7v20210408
submitted
20-06-2021 03:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a29be9e688d14557bb2c8d1bab72071a.exe
Size

3.6MB
MD5

a29be9e688d14557bb2c8d1bab72071a
SHA1

4f839d5d4bd6f098abe8f5bc64db2542b0e40798
SHA256

885c540ea597bed7e1d4b8fd3670bc66e821368ba0df789c53a5fd2cb96ed33f
SHA512

6779e16636d379032752571d1db35385b88d46d007d9fc6093ff9537e6a1fcb7ce5937a649f0f908535c1d0a295faeaa34a719503b1a346e8609b8e2da185e1e

Score

10^/10

redline smokeloader vidar 19_6_r 706 ani ncanal01 aspackv2 backdoor evasion infostealer stealer trojan

Malware Config

Extracted

Family

vidar

Version

39.3

Botnet

706

https://bandakere.tumblr.com

Attributes

profile_id
706

Extracted

Family

redline

Botnet

NCanal01

pupdatastart.tech:80

pupdatastart.xyz:80

pupdatastar.store:80

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

Ani

yaklalau.xyz:80

Extracted

Family

redline

Botnet

19_6_r

qitoshalan.xyz:80

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

resource	yara_rule
behavioral1/memory/1736-188-0x0000000002620000-0x000000000263B000-memory.dmp	family_redline
behavioral1/memory/1736-199-0x0000000002640000-0x0000000002659000-memory.dmp	family_redline
behavioral1/memory/2288-219-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2288-222-0x0000000000417DBE-mapping.dmp	family_redline
behavioral1/memory/2288-229-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2596-242-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2596-246-0x0000000000417F16-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/1612-191-0x0000000000940000-0x00000000009D7000-memory.dmp	family_vidar
behavioral1/memory/1612-194-0x0000000000400000-0x000000000093E000-memory.dmp	family_vidar

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0003000000013117-60.dat	aspack_v212_v242
behavioral1/files/0x0003000000013117-61.dat	aspack_v212_v242
behavioral1/files/0x0003000000013117-62.dat	aspack_v212_v242
behavioral1/files/0x0003000000013117-64.dat	aspack_v212_v242
behavioral1/files/0x000300000001310c-65.dat	aspack_v212_v242
behavioral1/files/0x000300000001310a-68.dat	aspack_v212_v242
behavioral1/files/0x000300000001310a-67.dat	aspack_v212_v242
behavioral1/files/0x000300000001310c-66.dat	aspack_v212_v242
behavioral1/files/0x0003000000013113-74.dat	aspack_v212_v242
behavioral1/files/0x0003000000013117-78.dat	aspack_v212_v242
behavioral1/files/0x0003000000013117-77.dat	aspack_v212_v242
behavioral1/files/0x0003000000013117-79.dat	aspack_v212_v242
behavioral1/files/0x0003000000013117-76.dat	aspack_v212_v242
behavioral1/files/0x0003000000013113-73.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

pid	Process
1824	setup_install.exe
1612	sonia_3.exe
1760	sonia_1.exe
400	sonia_2.exe
752	sonia_5.exe
1348	sonia_4.exe
1688	sonia_7.exe
1500	sonia_6.exe
1080	sonia_9.exe
1240	sonia_5.tmp
1736	sonia_8.exe
2028	jfiag3g_gg.exe

Loads dropped DLL 47 IoCs

pid	Process
1940	a29be9e688d14557bb2c8d1bab72071a.exe
1940	a29be9e688d14557bb2c8d1bab72071a.exe
1940	a29be9e688d14557bb2c8d1bab72071a.exe
1824	setup_install.exe
1824	setup_install.exe
1824	setup_install.exe
1824	setup_install.exe
1824	setup_install.exe
1824	setup_install.exe
1824	setup_install.exe
1824	setup_install.exe
568	cmd.exe
1516	cmd.exe
1516	cmd.exe
1632	cmd.exe
1632	cmd.exe
820	cmd.exe
1948	cmd.exe
1612	sonia_3.exe
1612	sonia_3.exe
400	sonia_2.exe
400	sonia_2.exe
752	sonia_5.exe
752	sonia_5.exe
952	cmd.exe
1648	cmd.exe
1348	sonia_4.exe
1348	sonia_4.exe
1676	cmd.exe
1676	cmd.exe
1688	sonia_7.exe
1688	sonia_7.exe
752	sonia_5.exe
1080	sonia_9.exe
1080	sonia_9.exe
976	cmd.exe
976	cmd.exe
1736	sonia_8.exe
1736	sonia_8.exe
1240	sonia_5.tmp
1240	sonia_5.tmp
1240	sonia_5.tmp
1348	sonia_4.exe
1348	sonia_4.exe
2028	jfiag3g_gg.exe
2028	jfiag3g_gg.exe
400	sonia_2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
123	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2104	1612	WerFault.exe	45
3340	3304	WerFault.exe	111

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2880	timeout.exe
4092	timeout.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
764	taskkill.exe
4000	taskkill.exe
1836	taskkill.exe
2852	taskkill.exe
1608	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
400	sonia_2.exe
400	sonia_2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1500	sonia_6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1824	1940	a29be9e688d14557bb2c8d1bab72071a.exe	27
PID 1940 wrote to memory of 1824	1940	a29be9e688d14557bb2c8d1bab72071a.exe	27
PID 1940 wrote to memory of 1824	1940	a29be9e688d14557bb2c8d1bab72071a.exe	27
PID 1940 wrote to memory of 1824	1940	a29be9e688d14557bb2c8d1bab72071a.exe	27
PID 1940 wrote to memory of 1824	1940	a29be9e688d14557bb2c8d1bab72071a.exe	27
PID 1940 wrote to memory of 1824	1940	a29be9e688d14557bb2c8d1bab72071a.exe	27
PID 1940 wrote to memory of 1824	1940	a29be9e688d14557bb2c8d1bab72071a.exe	27
PID 1824 wrote to memory of 568	1824	setup_install.exe	30
PID 1824 wrote to memory of 568	1824	setup_install.exe	30
PID 1824 wrote to memory of 568	1824	setup_install.exe	30
PID 1824 wrote to memory of 568	1824	setup_install.exe	30
PID 1824 wrote to memory of 568	1824	setup_install.exe	30
PID 1824 wrote to memory of 568	1824	setup_install.exe	30
PID 1824 wrote to memory of 568	1824	setup_install.exe	30
PID 1824 wrote to memory of 1632	1824	setup_install.exe	49
PID 1824 wrote to memory of 1632	1824	setup_install.exe	49
PID 1824 wrote to memory of 1632	1824	setup_install.exe	49
PID 1824 wrote to memory of 1632	1824	setup_install.exe	49
PID 1824 wrote to memory of 1632	1824	setup_install.exe	49
PID 1824 wrote to memory of 1632	1824	setup_install.exe	49
PID 1824 wrote to memory of 1632	1824	setup_install.exe	49
PID 1824 wrote to memory of 1516	1824	setup_install.exe	31
PID 1824 wrote to memory of 1516	1824	setup_install.exe	31
PID 1824 wrote to memory of 1516	1824	setup_install.exe	31
PID 1824 wrote to memory of 1516	1824	setup_install.exe	31
PID 1824 wrote to memory of 1516	1824	setup_install.exe	31
PID 1824 wrote to memory of 1516	1824	setup_install.exe	31
PID 1824 wrote to memory of 1516	1824	setup_install.exe	31
PID 1824 wrote to memory of 820	1824	setup_install.exe	48
PID 1824 wrote to memory of 820	1824	setup_install.exe	48
PID 1824 wrote to memory of 820	1824	setup_install.exe	48
PID 1824 wrote to memory of 820	1824	setup_install.exe	48
PID 1824 wrote to memory of 820	1824	setup_install.exe	48
PID 1824 wrote to memory of 820	1824	setup_install.exe	48
PID 1824 wrote to memory of 820	1824	setup_install.exe	48
PID 1824 wrote to memory of 1948	1824	setup_install.exe	47
PID 1824 wrote to memory of 1948	1824	setup_install.exe	47
PID 1824 wrote to memory of 1948	1824	setup_install.exe	47
PID 1824 wrote to memory of 1948	1824	setup_install.exe	47
PID 1824 wrote to memory of 1948	1824	setup_install.exe	47
PID 1824 wrote to memory of 1948	1824	setup_install.exe	47
PID 1824 wrote to memory of 1948	1824	setup_install.exe	47
PID 568 wrote to memory of 1760	568	cmd.exe	46
PID 568 wrote to memory of 1760	568	cmd.exe	46
PID 568 wrote to memory of 1760	568	cmd.exe	46
PID 568 wrote to memory of 1760	568	cmd.exe	46
PID 568 wrote to memory of 1760	568	cmd.exe	46
PID 568 wrote to memory of 1760	568	cmd.exe	46
PID 568 wrote to memory of 1760	568	cmd.exe	46
PID 1516 wrote to memory of 1612	1516	cmd.exe	45
PID 1516 wrote to memory of 1612	1516	cmd.exe	45
PID 1516 wrote to memory of 1612	1516	cmd.exe	45
PID 1516 wrote to memory of 1612	1516	cmd.exe	45
PID 1516 wrote to memory of 1612	1516	cmd.exe	45
PID 1516 wrote to memory of 1612	1516	cmd.exe	45
PID 1516 wrote to memory of 1612	1516	cmd.exe	45
PID 1632 wrote to memory of 400	1632	cmd.exe	43
PID 1632 wrote to memory of 400	1632	cmd.exe	43
PID 1632 wrote to memory of 400	1632	cmd.exe	43
PID 1632 wrote to memory of 400	1632	cmd.exe	43
PID 1632 wrote to memory of 400	1632	cmd.exe	43
PID 1632 wrote to memory of 400	1632	cmd.exe	43
PID 1632 wrote to memory of 400	1632	cmd.exe	43
PID 1824 wrote to memory of 1648	1824	setup_install.exe	44

C:\Users\Admin\AppData\Local\Temp\a29be9e688d14557bb2c8d1bab72071a.exe
"C:\Users\Admin\AppData\Local\Temp\a29be9e688d14557bb2c8d1bab72071a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_1.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_1.exe
      sonia_1.exe
      4⤵
      Executes dropped EXE
      PID:1760
    - - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",init
        5⤵
        
        PID:2660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_3.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_3.exe
      sonia_3.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 972
        5⤵
        Program crash
        
        PID:2104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_7.exe
    3⤵
    - Loads dropped DLL
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_7.exe
      sonia_7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1688
    - - C:\Users\Admin\Documents\xfj3gh2ZTvJZXKans_gqnN2L.exe
        
        "C:\Users\Admin\Documents\xfj3gh2ZTvJZXKans_gqnN2L.exe"
        5⤵
        
        PID:2096
    - - C:\Users\Admin\Documents\lQiwSylzwrJxzVAKx1d0I_rT.exe
        
        "C:\Users\Admin\Documents\lQiwSylzwrJxzVAKx1d0I_rT.exe"
        5⤵
        
        PID:2140
      - C:\Users\Admin\Documents\lQiwSylzwrJxzVAKx1d0I_rT.exe
        
        "C:\Users\Admin\Documents\lQiwSylzwrJxzVAKx1d0I_rT.exe"
        6⤵
        
        PID:2620
    - - C:\Users\Admin\Documents\IWU6o8HdrgO7hHJBXoX4wNC6.exe
        
        "C:\Users\Admin\Documents\IWU6o8HdrgO7hHJBXoX4wNC6.exe"
        5⤵
        
        PID:2296
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        6⤵
        
        PID:3012
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        7⤵
        
        PID:2148
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        6⤵
        
        PID:2664
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef5bd4f50,0x7fef5bd4f60,0x7fef5bd4f70
        7⤵
        
        PID:2696
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1064 /prefetch:2
        7⤵
        
        PID:2568
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1456 /prefetch:8
        7⤵
        
        PID:1552
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 /prefetch:8
        7⤵
        
        PID:2388
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1
        7⤵
        
        PID:912
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2416 /prefetch:1
        7⤵
        
        PID:2908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1
        7⤵
        
        PID:2092
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2556 /prefetch:1
        7⤵
        
        PID:2140
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2272 /prefetch:1
        7⤵
        
        PID:428
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2032 /prefetch:1
        7⤵
        
        PID:1760
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1432 /prefetch:8
        7⤵
        
        PID:3204
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,17634969022807087803,6174232606732817186,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3188 /prefetch:2
        7⤵
        
        PID:3508
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 2296 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\IWU6o8HdrgO7hHJBXoX4wNC6.exe"
        6⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F /PID 2296
        7⤵
        Kills process with taskkill
        
        PID:764
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 2296 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\IWU6o8HdrgO7hHJBXoX4wNC6.exe"
        6⤵
        
        PID:2276
    - - C:\Users\Admin\Documents\g6j_8Erx1oNbQvk019lghn56.exe
        
        "C:\Users\Admin\Documents\g6j_8Erx1oNbQvk019lghn56.exe"
        5⤵
        
        PID:2268
      - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        6⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:3760
      - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        6⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3304 -s 292
        7⤵
        Program crash
        
        PID:3340
      - C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
        6⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
        7⤵
        
        PID:3640
      - C:\Program Files (x86)\Company\NewProduct\file4.exe
        
        "C:\Program Files (x86)\Company\NewProduct\file4.exe"
        6⤵
        
        PID:3196
    - - C:\Users\Admin\Documents\NxhE9Y_39_OGiJhmrRxKx0iI.exe
        
        "C:\Users\Admin\Documents\NxhE9Y_39_OGiJhmrRxKx0iI.exe"
        5⤵
        
        PID:2228
      - C:\Users\Admin\Documents\NxhE9Y_39_OGiJhmrRxKx0iI.exe
        
        C:\Users\Admin\Documents\NxhE9Y_39_OGiJhmrRxKx0iI.exe
        6⤵
        
        PID:2504
      - C:\Users\Admin\Documents\NxhE9Y_39_OGiJhmrRxKx0iI.exe
        
        C:\Users\Admin\Documents\NxhE9Y_39_OGiJhmrRxKx0iI.exe
        6⤵
        
        PID:2596
    - - C:\Users\Admin\Documents\DQvfHmC8yb3_G7OCpK7neJNZ.exe
        
        "C:\Users\Admin\Documents\DQvfHmC8yb3_G7OCpK7neJNZ.exe"
        5⤵
        
        PID:2216
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im DQvfHmC8yb3_G7OCpK7neJNZ.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\DQvfHmC8yb3_G7OCpK7neJNZ.exe" & del C:\ProgramData\*.dll & exit
        6⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DQvfHmC8yb3_G7OCpK7neJNZ.exe /f
        7⤵
        Kills process with taskkill
        
        PID:4000
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 6
        7⤵
        Delays execution with timeout.exe
        
        PID:4092
    - - C:\Users\Admin\Documents\e6qDDKkDpErTSwhLqUYHHiuU.exe
        
        "C:\Users\Admin\Documents\e6qDDKkDpErTSwhLqUYHHiuU.exe"
        5⤵
        
        PID:2396
    - - C:\Users\Admin\Documents\odALkvsMosSw3eP52Zblrelj.exe
        
        "C:\Users\Admin\Documents\odALkvsMosSw3eP52Zblrelj.exe"
        5⤵
        
        PID:2628
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "odALkvsMosSw3eP52Zblrelj.exe" /f & erase "C:\Users\Admin\Documents\odALkvsMosSw3eP52Zblrelj.exe" & exit
        6⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "odALkvsMosSw3eP52Zblrelj.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:1836
    - - C:\Users\Admin\Documents\lBbg2AsmPWf1pgL7dGyleH9u.exe
        
        "C:\Users\Admin\Documents\lBbg2AsmPWf1pgL7dGyleH9u.exe"
        5⤵
        
        PID:2656
      - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
        6⤵
        
        PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_9.exe
    3⤵
    - Loads dropped DLL
    PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_8.exe
    3⤵
    - Loads dropped DLL
    PID:976
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_6.exe
    3⤵
    - Loads dropped DLL
    PID:1648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_5.exe
    3⤵
    - Loads dropped DLL
    PID:1948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_4.exe
    3⤵
    - Loads dropped DLL
    PID:820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c sonia_2.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1632

C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_5.exe
sonia_5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752
- C:\Users\Admin\AppData\Local\Temp\is-PE52C.tmp\sonia_5.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PE52C.tmp\sonia_5.tmp" /SL5="$4012E,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1240
- - C:\Users\Admin\AppData\Local\Temp\is-VND4E.tmp\____(768çshjs).exe
    "C:\Users\Admin\AppData\Local\Temp\is-VND4E.tmp\____(768çshjs).exe" /S /UID=burnerch1
    3⤵
    PID:2084
  - - C:\Program Files\Windows NT\AJGEPDTIIG\ultramediaburner.exe
      "C:\Program Files\Windows NT\AJGEPDTIIG\ultramediaburner.exe" /VERYSILENT
      4⤵
      PID:4040
    - - C:\Users\Admin\AppData\Local\Temp\is-4RJT6.tmp\ultramediaburner.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-4RJT6.tmp\ultramediaburner.tmp" /SL5="$90220,281924,62464,C:\Program Files\Windows NT\AJGEPDTIIG\ultramediaburner.exe" /VERYSILENT
        5⤵
        
        PID:4056
      - C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe
        
        "C:\Program Files (x86)\UltraMediaBurner\UltraMediaBurner.exe" -silent -desktopShortcut -programMenu
        6⤵
        
        PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\03-f9176-e3f-595a1-0723e998669b9\Texixovyvi.exe
      "C:\Users\Admin\AppData\Local\Temp\03-f9176-e3f-595a1-0723e998669b9\Texixovyvi.exe"
      4⤵
      PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\ce-378c8-73a-036be-3223e8a7e2530\Luforadupae.exe
      "C:\Users\Admin\AppData\Local\Temp\ce-378c8-73a-036be-3223e8a7e2530\Luforadupae.exe"
      4⤵
      PID:3176

C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_9.exe
sonia_9.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080
- C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_9.exe
  C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_9.exe
  2⤵
  PID:2288

C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_6.exe
sonia_6.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1500
- C:\Users\Admin\AppData\Roaming\4452314.exe
  "C:\Users\Admin\AppData\Roaming\4452314.exe"
  2⤵
  PID:2128
- C:\Users\Admin\AppData\Roaming\1204169.exe
  "C:\Users\Admin\AppData\Roaming\1204169.exe"
  2⤵
  PID:2516
- C:\Users\Admin\AppData\Roaming\1807789.exe
  "C:\Users\Admin\AppData\Roaming\1807789.exe"
  2⤵
  PID:2460
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im 1807789.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Roaming\1807789.exe" & del C:\ProgramData\*.dll & exit
    3⤵
    PID:1408
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im 1807789.exe /f
      4⤵
      Kills process with taskkill
      PID:2852
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 6
      4⤵
      Delays execution with timeout.exe
      PID:2880
- C:\Users\Admin\AppData\Roaming\3464099.exe
  "C:\Users\Admin\AppData\Roaming\3464099.exe"
  2⤵
  PID:2344

C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_8.exe
sonia_8.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736

C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_4.exe
sonia_4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2028
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:2872

C:\Users\Admin\AppData\Local\Temp\7zS497E8AE4\sonia_2.exe
sonia_2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:2912

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2296
1⤵
- Kills process with taskkill
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-192-0x0000000000400000-0x00000000008E5000-memory.dmp

Filesize
4.9MB

Download
memory/400-189-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/752-146-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1080-184-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1080-205-0x0000000004DB0000-0x0000000004DB1000-memory.dmp

Filesize
4KB

Download
memory/1240-183-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1256-214-0x0000000002A50000-0x0000000002A66000-memory.dmp

Filesize
88KB

Download
memory/1500-173-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/1500-182-0x000000001ACB0000-0x000000001ACB2000-memory.dmp

Filesize
8KB

Download
memory/1500-177-0x0000000001ED0000-0x0000000001EED000-memory.dmp

Filesize
116KB

Download
memory/1500-180-0x0000000001F70000-0x0000000001F71000-memory.dmp

Filesize
4KB

Download
memory/1500-160-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/1612-194-0x0000000000400000-0x000000000093E000-memory.dmp

Filesize
5.2MB

Download
memory/1612-191-0x0000000000940000-0x00000000009D7000-memory.dmp

Filesize
604KB

Download
memory/1736-190-0x0000000000240000-0x000000000026F000-memory.dmp

Filesize
188KB

Download
memory/1736-196-0x0000000004DD2000-0x0000000004DD3000-memory.dmp

Filesize
4KB

Download
memory/1736-188-0x0000000002620000-0x000000000263B000-memory.dmp

Filesize
108KB

Download
memory/1736-199-0x0000000002640000-0x0000000002659000-memory.dmp

Filesize
100KB

Download
memory/1736-217-0x0000000004DD4000-0x0000000004DD6000-memory.dmp

Filesize
8KB

Download
memory/1736-193-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1736-197-0x0000000004DD3000-0x0000000004DD4000-memory.dmp

Filesize
4KB

Download
memory/1736-195-0x0000000004DD1000-0x0000000004DD2000-memory.dmp

Filesize
4KB

Download
memory/1824-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1824-94-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1824-117-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1824-82-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1824-84-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1824-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1824-96-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1824-99-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1824-83-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1824-105-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1824-124-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1824-101-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1940-59-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/2084-206-0x0000000002030000-0x0000000002032000-memory.dmp

Filesize
8KB

Download
memory/2128-204-0x0000000001080000-0x0000000001081000-memory.dmp

Filesize
4KB

Download
memory/2128-216-0x0000000000370000-0x0000000000398000-memory.dmp

Filesize
160KB

Download
memory/2128-210-0x0000000001030000-0x0000000001031000-memory.dmp

Filesize
4KB

Download
memory/2228-233-0x0000000004DD0000-0x0000000004DD1000-memory.dmp

Filesize
4KB

Download
memory/2228-227-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2288-219-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2288-229-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2516-238-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/2516-236-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/2516-245-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2516-241-0x00000000004C0000-0x00000000004FD000-memory.dmp

Filesize
244KB

Download
memory/2596-242-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2620-240-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download