Overview

overview

10

Static

static

6CA6142C56...38.exe

windows7_x64

10

6CA6142C56...38.exe

windows10_x64

Analysis

  • max time kernel
    149s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    20-06-2021 23:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6CA6142C56A9258BB4D59DB76E1B5138.exe

  • Size

    3.3MB

  • MD5

    6ca6142c56a9258bb4d59db76e1b5138

  • SHA1

    d521ca13ba7336ed51e51547a27f21fb2cd00a35

  • SHA256

    12f7ffd93e0af380b2fe64c1477afcf876ae1449dcc197d71da381873bfbb439

  • SHA512

    de96d680e4c4a63138022cc413a3e52c86aaa131a15ebfbc7f041cb336e7d69ffc05b5487decd592227f22093a22ac454d34be3098364ac588000d52ddb7ff35

Score
10/10
redlinevidar20_6_r932anincanal01aspackv2discoveryevasioninfostealerspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

NCanal01

C2

pupdatastart.tech:80

pupdatastart.xyz:80

pupdatastar.store:80

Extracted

Family

redline

Botnet

Ani

C2

yaklalau.xyz:80

Extracted

Family

redline

Botnet

20_6_r

C2

qitoshalan.xyz:80

Extracted

Family

vidar

Version

39.4

Botnet

932

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    932

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 8 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 37 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 6 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 3 IoCs
  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 29 IoCs
  • Modifies registry class 24 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
    evasionspywaretrojan
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:884
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {5BB67AB8-F031-4F11-BFA0-C637A703889E} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
          3⤵
            PID:2988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
              C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
              4⤵
                PID:628
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k SystemNetworkService
            2⤵
            • Checks processor information in registry
            • Modifies data under HKEY_USERS
            • Modifies registry class
            PID:1940
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k SystemNetworkService
            2⤵
            • Drops file in System32 directory
            • Checks processor information in registry
            • Modifies data under HKEY_USERS
            • Modifies registry class
            PID:2452
        • C:\Users\Admin\AppData\Local\Temp\6CA6142C56A9258BB4D59DB76E1B5138.exe
          "C:\Users\Admin\AppData\Local\Temp\6CA6142C56A9258BB4D59DB76E1B5138.exe"
          1⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1520
          • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
            "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
            2⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of WriteProcessMemory
            PID:1220
            • C:\Users\Admin\AppData\Local\Temp\7zS4C4017E4\setup_install.exe
              "C:\Users\Admin\AppData\Local\Temp\7zS4C4017E4\setup_install.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1508
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c arnatic_2.exe
                4⤵
                • Loads dropped DLL
                PID:1108
                • C:\Users\Admin\AppData\Local\Temp\7zS4C4017E4\arnatic_2.exe
                  arnatic_2.exe
                  5⤵
                  • Executes dropped EXE
                  PID:1772
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c arnatic_1.exe
                4⤵
                  PID:1128
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c arnatic_4.exe
                  4⤵
                    PID:1956
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c arnatic_3.exe
                    4⤵
                    • Loads dropped DLL
                    PID:628
                    • C:\Users\Admin\AppData\Local\Temp\7zS4C4017E4\arnatic_3.exe
                      arnatic_3.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:824
                      • C:\Windows\SysWOW64\rUNdlL32.eXe
                        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",init
                        6⤵
                        • Loads dropped DLL
                        • Modifies registry class
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1788
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c arnatic_6.exe
                    4⤵
                    • Loads dropped DLL
                    PID:1852
                    • C:\Users\Admin\AppData\Local\Temp\7zS4C4017E4\arnatic_6.exe
                      arnatic_6.exe
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Modifies system certificate store
                      PID:688
                      • C:\Users\Admin\Documents\WzD7cKRXPeGaparpUSkN_A6f.exe
                        "C:\Users\Admin\Documents\WzD7cKRXPeGaparpUSkN_A6f.exe"
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        PID:2236
                      • C:\Users\Admin\Documents\gHocbDnrwexiO18PTifX2eI9.exe
                        "C:\Users\Admin\Documents\gHocbDnrwexiO18PTifX2eI9.exe"
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Suspicious use of SetThreadContext
                        PID:2196
                        • C:\Users\Admin\Documents\gHocbDnrwexiO18PTifX2eI9.exe
                          C:\Users\Admin\Documents\gHocbDnrwexiO18PTifX2eI9.exe
                          7⤵
                          • Executes dropped EXE
                          • Checks processor information in registry
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2116
                      • C:\Users\Admin\Documents\Z8K6PMoP2Uck0WS0ByytB_I6.exe
                        "C:\Users\Admin\Documents\Z8K6PMoP2Uck0WS0ByytB_I6.exe"
                        6⤵
                        • Executes dropped EXE
                        PID:2312
                        • C:\Users\Admin\AppData\Local\Temp\7zSEA9D.tmp\SimplInst.exe
                          .\SimplInst.exe
                          7⤵
                          • Executes dropped EXE
                          PID:3040
                          • C:\Users\Admin\AppData\Local\Temp\7zSFBDC.tmp\SimplInst.exe
                            .\SimplInst.exe /S /site_id=767
                            8⤵
                            • Executes dropped EXE
                            • Checks BIOS information in registry
                            • Drops file in System32 directory
                            • Enumerates system info in registry
                            PID:2508
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m notepad.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737010 ThreatIDDefaultAction_Actions=6 Force=True" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737007 ThreatIDDefaultAction_Actions=6 Force=True" &
                              9⤵
                                PID:1924
                                • C:\Windows\SysWOW64\forfiles.exe
                                  forfiles /p c:\windows\system32 /m ping.exe /c "cmd /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True"
                                  10⤵
                                    PID:2616
                                    • C:\Windows\SysWOW64\cmd.exe
                                      /C powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                      11⤵
                                        PID:2568
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147735503 ThreatIDDefaultAction_Actions=6 Force=True
                                          12⤵
                                          • Drops file in System32 directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:1032
                                  • C:\Windows\SysWOW64\forfiles.exe
                                    "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
                                    9⤵
                                      PID:2088
                                      • C:\Windows\SysWOW64\cmd.exe
                                        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
                                        10⤵
                                          PID:2204
                                          • \??\c:\windows\SysWOW64\reg.exe
                                            REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
                                            11⤵
                                              PID:2064
                                            • \??\c:\windows\SysWOW64\reg.exe
                                              REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
                                              11⤵
                                                PID:2296
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /CREATE /TN "gihQQEZGS" /SC once /ST 00:50:36 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
                                            9⤵
                                            • Creates scheduled task(s)
                                            PID:2936
                                          • C:\Windows\SysWOW64\schtasks.exe
                                            schtasks /run /I /tn "gihQQEZGS"
                                            9⤵
                                              PID:1852
                                      • C:\Users\Admin\Documents\LUV_RuV5N1pSX5UFl2UagziD.exe
                                        "C:\Users\Admin\Documents\LUV_RuV5N1pSX5UFl2UagziD.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:2288
                                      • C:\Users\Admin\Documents\NUJHQ4MFi5GEjGFnREDrpll6.exe
                                        "C:\Users\Admin\Documents\NUJHQ4MFi5GEjGFnREDrpll6.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Suspicious use of SetThreadContext
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:2280
                                        • C:\Users\Admin\Documents\NUJHQ4MFi5GEjGFnREDrpll6.exe
                                          C:\Users\Admin\Documents\NUJHQ4MFi5GEjGFnREDrpll6.exe
                                          7⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2560
                                      • C:\Users\Admin\Documents\sznZseVtw9YDvSQvW8boE0CA.exe
                                        "C:\Users\Admin\Documents\sznZseVtw9YDvSQvW8boE0CA.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:2824
                                      • C:\Users\Admin\Documents\aSTE1bzuzeXeUp_io2fE9wlP.exe
                                        "C:\Users\Admin\Documents\aSTE1bzuzeXeUp_io2fE9wlP.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        • Drops file in Program Files directory
                                        PID:2844
                                        • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                          "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          • Modifies system certificate store
                                          PID:3048
                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            8⤵
                                            • Executes dropped EXE
                                            PID:548
                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            8⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2132
                                        • C:\Program Files (x86)\Company\NewProduct\file4.exe
                                          "C:\Program Files (x86)\Company\NewProduct\file4.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:2960
                                        • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                          "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:2228
                                          • C:\Windows\SysWOW64\WerFault.exe
                                            C:\Windows\SysWOW64\WerFault.exe -u -p 2228 -s 292
                                            8⤵
                                            • Program crash
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2348
                                        • C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
                                          "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
                                          7⤵
                                          • Executes dropped EXE
                                          PID:2180
                                          • C:\Windows\SysWOW64\rUNdlL32.eXe
                                            "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
                                            8⤵
                                            • Modifies registry class
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:968
                                      • C:\Users\Admin\Documents\_I5IR3Lzn0mFpYx5tbzRqOAD.exe
                                        "C:\Users\Admin\Documents\_I5IR3Lzn0mFpYx5tbzRqOAD.exe"
                                        6⤵
                                        • Executes dropped EXE
                                        PID:2888
                                        • C:\Windows\SysWOW64\cmd.exe
                                          cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\Documents\_I5IR3Lzn0mFpYx5tbzRqOAD.exe"
                                          7⤵
                                            PID:3028
                                            • C:\Windows\SysWOW64\PING.EXE
                                              ping 1.1.1.1 -n 1 -w 3000
                                              8⤵
                                              • Runs ping.exe
                                              PID:1960
                                        • C:\Users\Admin\Documents\maFQ1LkF5ao7kGyS5tzNAxTH.exe
                                          "C:\Users\Admin\Documents\maFQ1LkF5ao7kGyS5tzNAxTH.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          PID:2872
                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            7⤵
                                            • Executes dropped EXE
                                            PID:2984
                                          • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                            C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                            7⤵
                                            • Executes dropped EXE
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:2244
                                        • C:\Users\Admin\Documents\cpd0qjo5UnC3WEA61G9WnMwg.exe
                                          "C:\Users\Admin\Documents\cpd0qjo5UnC3WEA61G9WnMwg.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2864
                                        • C:\Users\Admin\Documents\WM6OXPaborSurPvmDGddJSq6.exe
                                          "C:\Users\Admin\Documents\WM6OXPaborSurPvmDGddJSq6.exe"
                                          6⤵
                                          • Executes dropped EXE
                                          • Drops file in Program Files directory
                                          • Suspicious behavior: EnumeratesProcesses
                                          PID:2968
                                          • C:\Program Files\Mozilla Firefox\firefox.exe
                                            "C:\Program Files\Mozilla Firefox\firefox.exe"
                                            7⤵
                                              PID:2112
                                          • C:\Users\Admin\Documents\n_NKGcmtKqg3J1tqCDTou6kA.exe
                                            "C:\Users\Admin\Documents\n_NKGcmtKqg3J1tqCDTou6kA.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            PID:2068
                                            • C:\Windows\SysWOW64\rUNdlL32.eXe
                                              "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                                              7⤵
                                              • Modifies registry class
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:292
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c arnatic_5.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:1640
                                        • C:\Users\Admin\AppData\Local\Temp\7zS4C4017E4\arnatic_5.exe
                                          arnatic_5.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Modifies system certificate store
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1688
                                          • C:\Users\Admin\AppData\Roaming\1382190.exe
                                            "C:\Users\Admin\AppData\Roaming\1382190.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            PID:572
                                            • C:\Windows\system32\WerFault.exe
                                              C:\Windows\system32\WerFault.exe -u -p 572 -s 524
                                              7⤵
                                              • Program crash
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious use of AdjustPrivilegeToken
                                              PID:2220
                                          • C:\Users\Admin\AppData\Roaming\2838005.exe
                                            "C:\Users\Admin\AppData\Roaming\2838005.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            PID:2052
                                          • C:\Users\Admin\AppData\Roaming\2287216.exe
                                            "C:\Users\Admin\AppData\Roaming\2287216.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Modifies system certificate store
                                            PID:2124
                                            • C:\Windows\SysWOW64\WerFault.exe
                                              C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 984
                                              7⤵
                                              • Program crash
                                              • Suspicious behavior: EnumeratesProcesses
                                              PID:2584
                                          • C:\Users\Admin\AppData\Roaming\1789258.exe
                                            "C:\Users\Admin\AppData\Roaming\1789258.exe"
                                            6⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2160
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c arnatic_8.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:1056
                                        • C:\Users\Admin\AppData\Local\Temp\7zS4C4017E4\arnatic_8.exe
                                          arnatic_8.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:756
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c arnatic_7.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:408
                                        • C:\Users\Admin\AppData\Local\Temp\7zS4C4017E4\arnatic_7.exe
                                          arnatic_7.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of SetThreadContext
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:980
                                          • C:\Users\Admin\AppData\Local\Temp\7zS4C4017E4\arnatic_7.exe
                                            C:\Users\Admin\AppData\Local\Temp\7zS4C4017E4\arnatic_7.exe
                                            6⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2144

                                Network

                                MITRE ATT&CK Enterprise v6

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/572-189-0x0000000000F00000-0x0000000000F01000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/572-201-0x000000001AE60000-0x000000001AE62000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/756-184-0x0000000004EC2000-0x0000000004EC3000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/756-185-0x0000000004EC3000-0x0000000004EC4000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/756-208-0x0000000004EC4000-0x0000000004EC6000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/756-180-0x00000000003C0000-0x00000000003EF000-memory.dmp

                                  Filesize

                                  188KB

                                  Download

                                • memory/756-181-0x0000000000400000-0x00000000008FE000-memory.dmp

                                  Filesize

                                  5.0MB

                                  Download

                                • memory/756-183-0x0000000004EC1000-0x0000000004EC2000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/756-182-0x00000000024F0000-0x000000000250B000-memory.dmp

                                  Filesize

                                  108KB

                                  Download

                                • memory/756-196-0x0000000002630000-0x0000000002649000-memory.dmp

                                  Filesize

                                  100KB

                                  Download

                                • memory/884-176-0x00000000011A0000-0x0000000001211000-memory.dmp

                                  Filesize

                                  452KB

                                  Download

                                • memory/884-175-0x00000000008B0000-0x00000000008FB000-memory.dmp

                                  Filesize

                                  300KB

                                  Download

                                • memory/980-191-0x0000000000900000-0x0000000000901000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/980-162-0x0000000000130000-0x0000000000131000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1508-100-0x0000000064940000-0x0000000064959000-memory.dmp

                                  Filesize

                                  100KB

                                  Download

                                • memory/1508-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                  Filesize

                                  1.5MB

                                  Download

                                • memory/1508-103-0x0000000064940000-0x0000000064959000-memory.dmp

                                  Filesize

                                  100KB

                                  Download

                                • memory/1508-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                  Filesize

                                  152KB

                                  Download

                                • memory/1508-108-0x0000000064940000-0x0000000064959000-memory.dmp

                                  Filesize

                                  100KB

                                  Download

                                • memory/1508-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                  Filesize

                                  572KB

                                  Download

                                • memory/1508-116-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                  Filesize

                                  1.5MB

                                  Download

                                • memory/1508-112-0x0000000064940000-0x0000000064959000-memory.dmp

                                  Filesize

                                  100KB

                                  Download

                                • memory/1508-113-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                  Filesize

                                  572KB

                                  Download

                                • memory/1508-118-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                  Filesize

                                  152KB

                                  Download

                                • memory/1520-60-0x00000000760B1000-0x00000000760B3000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1688-155-0x0000000000150000-0x0000000000151000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1688-164-0x0000000000BF0000-0x0000000000BF2000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/1688-161-0x0000000000180000-0x0000000000181000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1688-160-0x0000000000160000-0x000000000017D000-memory.dmp

                                  Filesize

                                  116KB

                                  Download

                                • memory/1688-137-0x0000000000C70000-0x0000000000C71000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/1788-174-0x0000000000220000-0x000000000027C000-memory.dmp

                                  Filesize

                                  368KB

                                  Download

                                • memory/1788-173-0x00000000020F0000-0x00000000021F1000-memory.dmp

                                  Filesize

                                  1.0MB

                                  Download

                                • memory/1940-179-0x0000000000500000-0x0000000000571000-memory.dmp

                                  Filesize

                                  452KB

                                  Download

                                • memory/2052-207-0x0000000000480000-0x0000000000481000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2052-195-0x0000000000D20000-0x0000000000D21000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2124-275-0x0000000000400000-0x0000000000947000-memory.dmp

                                  Filesize

                                  5.3MB

                                  Download

                                • memory/2124-274-0x00000000023C0000-0x000000000245D000-memory.dmp

                                  Filesize

                                  628KB

                                  Download

                                • memory/2144-228-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/2144-217-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/2160-223-0x0000000000310000-0x0000000000311000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2160-232-0x0000000000A40000-0x0000000000A7D000-memory.dmp

                                  Filesize

                                  244KB

                                  Download

                                • memory/2160-233-0x00000000003F0000-0x00000000003F1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2160-214-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2196-216-0x00000000001F0000-0x00000000001F1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2220-205-0x000007FEFB891000-0x000007FEFB893000-memory.dmp

                                  Filesize

                                  8KB

                                  Download

                                • memory/2280-230-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2288-278-0x0000000002560000-0x0000000002561000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2288-220-0x00000000003C0000-0x00000000003C1000-memory.dmp

                                  Filesize

                                  4KB

                                  Download

                                • memory/2452-277-0x0000000000280000-0x00000000002F1000-memory.dmp

                                  Filesize

                                  452KB

                                  Download

                                • memory/2452-276-0x0000000000060000-0x00000000000AC000-memory.dmp

                                  Filesize

                                  304KB

                                  Download

                                • memory/2560-234-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download

                                • memory/2560-237-0x0000000000400000-0x000000000041E000-memory.dmp

                                  Filesize

                                  120KB

                                  Download