cryptbot | 112bd06da5542a690c50f0f4583d68f13c26685f14166a158d161489b0a1c8c6

Analysis

max time kernel
25s
max time network
579s
platform
windows7_x64
resource
win7v20210410
submitted
23-06-2021 21:57

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

x86_x64_setup.exe
Size

3.6MB
MD5

d93af4a3acb5eb632658a632178db45c
SHA1

c9ead39a2366efd397210b1b31fbf17c36d5b26e
SHA256

3ffc5b261ff1c9283c427243b54dbe5f9af2b103702a0af6d8516a4bace91a07
SHA512

38726799fb981b5adb08a5312e2ae7ed3a330d02d965b1a4e218d3549baf1dfff20ff79e276f884ed195650fe27e26097e0fcaf81bd397535612b5932a46f0b8

Score

10^/10

cryptbot fickerstealer redline smokeloader vidar gxq3gyi1svg=aspackv2 backdoor evasion infostealer spyware stealer trojan upx

Malware Config

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

GxQ3GyI1SVg=

DDkKBA0ZQRA9DTQUNixBQAA8OlgtKC5J

Extracted

Family

cryptbot

cypgvt32.top

morkyl03.top

Attributes

payload_url
http://dugyly04.top/download.php?file=lv.exe

Extracted

Family

fickerstealer

bukkva.club:80

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot

CryptBot Payload 2 IoCs

resource	yara_rule
behavioral1/memory/292-277-0x00000000024A0000-0x0000000002581000-memory.dmp	family_cryptbot
behavioral1/memory/292-278-0x0000000000400000-0x0000000000965000-memory.dmp	family_cryptbot

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 9 IoCs

resource	yara_rule
behavioral1/memory/1164-182-0x0000000000980000-0x000000000099B000-memory.dmp	family_redline
behavioral1/memory/1164-188-0x00000000025F0000-0x0000000002609000-memory.dmp	family_redline
behavioral1/memory/700-206-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/700-209-0x0000000000417DBE-mapping.dmp	family_redline
behavioral1/memory/2260-220-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2260-227-0x0000000000417E32-mapping.dmp	family_redline
behavioral1/memory/700-225-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2260-231-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2256-260-0x0000000000417E36-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
fickerstealer
Ficker is an infostealer written in Rust and ASM.
infostealer fickerstealer

Vidar Stealer 6 IoCs

stealer

resource	yara_rule
behavioral1/memory/1648-193-0x0000000000ED0000-0x0000000000F67000-memory.dmp	Vidar
behavioral1/memory/1648-194-0x0000000000400000-0x000000000093E000-memory.dmp	Vidar
behavioral1/memory/2272-257-0x0000000000400000-0x0000000000472000-memory.dmp	Vidar
behavioral1/memory/436-275-0x00000000002C0000-0x000000000035D000-memory.dmp	Vidar
behavioral1/memory/436-276-0x0000000000400000-0x000000000094D000-memory.dmp	Vidar
behavioral1/memory/1180-293-0x000000000046B76D-mapping.dmp	Vidar

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000300000001310e-69.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-70.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-71.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-73.dat	aspack_v212_v242
behavioral1/files/0x000300000001310a-75.dat	aspack_v212_v242
behavioral1/files/0x000300000001310a-74.dat	aspack_v212_v242
behavioral1/files/0x0003000000013109-76.dat	aspack_v212_v242
behavioral1/files/0x0003000000013109-77.dat	aspack_v212_v242
behavioral1/files/0x000300000001310c-83.dat	aspack_v212_v242
behavioral1/files/0x000300000001310c-82.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-85.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-87.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-88.dat	aspack_v212_v242
behavioral1/files/0x000300000001310e-86.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

pid	Process
1232	setup_installer.exe
1772	setup_install.exe
1636	sonia_2.exe
1648	sonia_3.exe
1164	sonia_8.exe
1180	sonia_6.exe
1440	sonia_9.exe
296	sonia_7.exe
1572	sonia_4.exe
700	sonia_9.exe
1740	sonia_9.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00040000000130fe-185.dat	upx

Loads dropped DLL 45 IoCs

pid	Process
1116	x86_x64_setup.exe
1232	setup_installer.exe
1232	setup_installer.exe
1232	setup_installer.exe
1232	setup_installer.exe
1232	setup_installer.exe
1232	setup_installer.exe
1772	setup_install.exe
1772	setup_install.exe
1772	setup_install.exe
1772	setup_install.exe
1772	setup_install.exe
1772	setup_install.exe
1772	setup_install.exe
1772	setup_install.exe
1660	cmd.exe
1660	cmd.exe
588	cmd.exe
588	cmd.exe
528	cmd.exe
528	cmd.exe
328	cmd.exe
328	cmd.exe
1636	sonia_2.exe
1636	sonia_2.exe
576	cmd.exe
1496	cmd.exe
332	cmd.exe
1164	sonia_8.exe
1164	sonia_8.exe
1648	sonia_3.exe
1648	sonia_3.exe
1440	sonia_9.exe
1440	sonia_9.exe
1572	sonia_4.exe
1572	sonia_4.exe
296	sonia_7.exe
296	sonia_7.exe
1572	sonia_4.exe
1572	sonia_4.exe
700	sonia_9.exe
700	sonia_9.exe
1440	sonia_9.exe
1636	sonia_2.exe
1440	sonia_9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
7	ip-api.com
163	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2784	1648	WerFault.exe	40
2356	436	WerFault.exe	59
1184	1180	WerFault.exe	105

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	sonia_2.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1520	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1636	sonia_2.exe
1636	sonia_2.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1180	sonia_6.exe
Token: SeDebugPrivilege	1440	sonia_9.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 1232	1116	x86_x64_setup.exe	26
PID 1116 wrote to memory of 1232	1116	x86_x64_setup.exe	26
PID 1116 wrote to memory of 1232	1116	x86_x64_setup.exe	26
PID 1116 wrote to memory of 1232	1116	x86_x64_setup.exe	26
PID 1116 wrote to memory of 1232	1116	x86_x64_setup.exe	26
PID 1116 wrote to memory of 1232	1116	x86_x64_setup.exe	26
PID 1116 wrote to memory of 1232	1116	x86_x64_setup.exe	26
PID 1232 wrote to memory of 1772	1232	setup_installer.exe	27
PID 1232 wrote to memory of 1772	1232	setup_installer.exe	27
PID 1232 wrote to memory of 1772	1232	setup_installer.exe	27
PID 1232 wrote to memory of 1772	1232	setup_installer.exe	27
PID 1232 wrote to memory of 1772	1232	setup_installer.exe	27
PID 1232 wrote to memory of 1772	1232	setup_installer.exe	27
PID 1232 wrote to memory of 1772	1232	setup_installer.exe	27
PID 1772 wrote to memory of 1584	1772	setup_install.exe	29
PID 1772 wrote to memory of 1584	1772	setup_install.exe	29
PID 1772 wrote to memory of 1584	1772	setup_install.exe	29
PID 1772 wrote to memory of 1584	1772	setup_install.exe	29
PID 1772 wrote to memory of 1584	1772	setup_install.exe	29
PID 1772 wrote to memory of 1584	1772	setup_install.exe	29
PID 1772 wrote to memory of 1584	1772	setup_install.exe	29
PID 1772 wrote to memory of 1660	1772	setup_install.exe	46
PID 1772 wrote to memory of 1660	1772	setup_install.exe	46
PID 1772 wrote to memory of 1660	1772	setup_install.exe	46
PID 1772 wrote to memory of 1660	1772	setup_install.exe	46
PID 1772 wrote to memory of 1660	1772	setup_install.exe	46
PID 1772 wrote to memory of 1660	1772	setup_install.exe	46
PID 1772 wrote to memory of 1660	1772	setup_install.exe	46
PID 1772 wrote to memory of 588	1772	setup_install.exe	30
PID 1772 wrote to memory of 588	1772	setup_install.exe	30
PID 1772 wrote to memory of 588	1772	setup_install.exe	30
PID 1772 wrote to memory of 588	1772	setup_install.exe	30
PID 1772 wrote to memory of 588	1772	setup_install.exe	30
PID 1772 wrote to memory of 588	1772	setup_install.exe	30
PID 1772 wrote to memory of 588	1772	setup_install.exe	30
PID 1772 wrote to memory of 332	1772	setup_install.exe	44
PID 1772 wrote to memory of 332	1772	setup_install.exe	44
PID 1772 wrote to memory of 332	1772	setup_install.exe	44
PID 1772 wrote to memory of 332	1772	setup_install.exe	44
PID 1772 wrote to memory of 332	1772	setup_install.exe	44
PID 1772 wrote to memory of 332	1772	setup_install.exe	44
PID 1772 wrote to memory of 332	1772	setup_install.exe	44
PID 1772 wrote to memory of 1216	1772	setup_install.exe	31
PID 1772 wrote to memory of 1216	1772	setup_install.exe	31
PID 1772 wrote to memory of 1216	1772	setup_install.exe	31
PID 1772 wrote to memory of 1216	1772	setup_install.exe	31
PID 1772 wrote to memory of 1216	1772	setup_install.exe	31
PID 1772 wrote to memory of 1216	1772	setup_install.exe	31
PID 1772 wrote to memory of 1216	1772	setup_install.exe	31
PID 1772 wrote to memory of 576	1772	setup_install.exe	32
PID 1772 wrote to memory of 576	1772	setup_install.exe	32
PID 1772 wrote to memory of 576	1772	setup_install.exe	32
PID 1772 wrote to memory of 576	1772	setup_install.exe	32
PID 1772 wrote to memory of 576	1772	setup_install.exe	32
PID 1772 wrote to memory of 576	1772	setup_install.exe	32
PID 1772 wrote to memory of 576	1772	setup_install.exe	32
PID 1772 wrote to memory of 1496	1772	setup_install.exe	43
PID 1772 wrote to memory of 1496	1772	setup_install.exe	43
PID 1772 wrote to memory of 1496	1772	setup_install.exe	43
PID 1772 wrote to memory of 1496	1772	setup_install.exe	43
PID 1772 wrote to memory of 1496	1772	setup_install.exe	43
PID 1772 wrote to memory of 1496	1772	setup_install.exe	43
PID 1772 wrote to memory of 1496	1772	setup_install.exe	43
PID 1772 wrote to memory of 528	1772	setup_install.exe	42

C:\Users\Admin\AppData\Local\Temp\x86_x64_setup.exe
"C:\Users\Admin\AppData\Local\Temp\x86_x64_setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_1.exe
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_3.exe
      4⤵
      Loads dropped DLL
      PID:588
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_3.exe
        
        sonia_3.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1648
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 968
        6⤵
        Program crash
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_5.exe
      4⤵
      PID:1216
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_6.exe
      4⤵
      Loads dropped DLL
      PID:576
    - - C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_6.exe
        
        sonia_6.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_9.exe
      4⤵
      Loads dropped DLL
      PID:328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_8.exe
      4⤵
      Loads dropped DLL
      PID:528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_7.exe
      4⤵
      Loads dropped DLL
      PID:1496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_4.exe
      4⤵
      Loads dropped DLL
      PID:332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_2.exe
      4⤵
      Loads dropped DLL
      PID:1660

C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_2.exe
sonia_2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:1636

C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_9.exe
sonia_9.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1440
- C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_9.exe
  C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_9.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_9.exe
  C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_9.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:700

C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_4.exe
sonia_4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:700
- C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
  2⤵
  PID:1604

C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_7.exe
sonia_7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296
- C:\Users\Admin\Documents\eGD0RyNEQL2frGJHbP6IDDnz.exe
  "C:\Users\Admin\Documents\eGD0RyNEQL2frGJHbP6IDDnz.exe"
  2⤵
  PID:1720
- - C:\Users\Admin\Documents\eGD0RyNEQL2frGJHbP6IDDnz.exe
    C:\Users\Admin\Documents\eGD0RyNEQL2frGJHbP6IDDnz.exe
    3⤵
    PID:2260
- C:\Users\Admin\Documents\YnE5vXM9S6U2YPLDodXF3ZjW.exe
  "C:\Users\Admin\Documents\YnE5vXM9S6U2YPLDodXF3ZjW.exe"
  2⤵
  PID:1064
- - C:\Users\Admin\Documents\YnE5vXM9S6U2YPLDodXF3ZjW.exe
    C:\Users\Admin\Documents\YnE5vXM9S6U2YPLDodXF3ZjW.exe
    3⤵
    PID:1180
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 936
      4⤵
      Program crash
      PID:1184
- C:\Users\Admin\Documents\0VFT2jEGBRtGvlT0wc2Trvh_.exe
  "C:\Users\Admin\Documents\0VFT2jEGBRtGvlT0wc2Trvh_.exe"
  2⤵
  PID:1036
- C:\Users\Admin\Documents\OZKV4JkF6oM94lsXf42VpKoC.exe
  "C:\Users\Admin\Documents\OZKV4JkF6oM94lsXf42VpKoC.exe"
  2⤵
  PID:1624
- C:\Users\Admin\Documents\AmBAIioyuzla1ExFuOLP7ykP.exe
  "C:\Users\Admin\Documents\AmBAIioyuzla1ExFuOLP7ykP.exe"
  2⤵
  PID:2108
- C:\Users\Admin\Documents\ROX0PP4CQCelXU761N4NDEHF.exe
  "C:\Users\Admin\Documents\ROX0PP4CQCelXU761N4NDEHF.exe"
  2⤵
  PID:2052
- - C:\Users\Admin\Documents\ROX0PP4CQCelXU761N4NDEHF.exe
    C:\Users\Admin\Documents\ROX0PP4CQCelXU761N4NDEHF.exe
    3⤵
    PID:2256
- C:\Users\Admin\Documents\YAYOxiG0sQ7PqDTNjntq5bCA.exe
  "C:\Users\Admin\Documents\YAYOxiG0sQ7PqDTNjntq5bCA.exe"
  2⤵
  PID:436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 948
    3⤵
    - Program crash
    PID:2356
- C:\Users\Admin\Documents\lVcIqHRrxOrHf3nyFYz0M_I4.exe
  "C:\Users\Admin\Documents\lVcIqHRrxOrHf3nyFYz0M_I4.exe"
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\63912517796.exe"
    3⤵
    PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\63912517796.exe
      "C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\63912517796.exe"
      4⤵
      PID:2388
    - - C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\63912517796.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\63912517796.exe"
        5⤵
        
        PID:2768
      - C:\Users\Admin\AppData\Local\Temp\1624485736663.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1624485736663.exe"
        6⤵
        
        PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\76187260953.exe" /mix
    3⤵
    PID:832
  - - C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\76187260953.exe
      "C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\76187260953.exe" /mix
      4⤵
      PID:292
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\86180571926.exe" /mix
    3⤵
    PID:1100
  - - C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\86180571926.exe
      "C:\Users\Admin\AppData\Local\Temp\{ux4k-CvU2v-heUu-5iAjJ}\86180571926.exe" /mix
      4⤵
      PID:1424
    - - C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
        
        edspolishpp.exe
        5⤵
        
        PID:2980
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "lVcIqHRrxOrHf3nyFYz0M_I4.exe" /f & erase "C:\Users\Admin\Documents\lVcIqHRrxOrHf3nyFYz0M_I4.exe" & exit
    3⤵
    PID:2436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "lVcIqHRrxOrHf3nyFYz0M_I4.exe" /f
      4⤵
      Kills process with taskkill
      PID:1520
- C:\Users\Admin\Documents\Ie00wvZLGOx65U6r_Uv5EMl6.exe
  "C:\Users\Admin\Documents\Ie00wvZLGOx65U6r_Uv5EMl6.exe"
  2⤵
  PID:2296
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    PID:2984
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      PID:3004
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3004.0.1334224185\1850521105" -parentBuildID 20200403170909 -prefsHandle 1160 -prefMapHandle 1152 -prefsLen 1 -prefMapSize 219622 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3004 "\\.\pipe\gecko-crash-server-pipe.3004" 1224 gpu
        5⤵
        
        PID:2204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe"
    3⤵
    PID:2520
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef67a4f50,0x7fef67a4f60,0x7fef67a4f70
      4⤵
      PID:968
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=988,2268822631947808022,15234962419328219817,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=996 /prefetch:2
      4⤵
      PID:1116
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C taskkill /F /PID 2296 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\Ie00wvZLGOx65U6r_Uv5EMl6.exe"
    3⤵
    PID:2304
- C:\Users\Admin\Documents\0U4_f6qP3ZenLxR8_XQKWmyx.exe
  "C:\Users\Admin\Documents\0U4_f6qP3ZenLxR8_XQKWmyx.exe"
  2⤵
  PID:2348
- C:\Users\Admin\Documents\HygZ64npItYIhAzHvMiEEj1v.exe
  "C:\Users\Admin\Documents\HygZ64npItYIhAzHvMiEEj1v.exe"
  2⤵
  PID:2368
- - C:\Program Files (x86)\Company\NewProduct\file4.exe
    "C:\Program Files (x86)\Company\NewProduct\file4.exe"
    3⤵
    PID:2480
- - C:\Program Files (x86)\Company\NewProduct\jooyu.exe
    "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
    3⤵
    PID:2572
- - C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
    "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
    3⤵
    PID:2616
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:2632

C:\Users\Admin\AppData\Local\Temp\7zS0D45BFB4\sonia_8.exe
sonia_8.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164

C:\Users\Admin\AppData\Local\Temp\EB58.exe
C:\Users\Admin\AppData\Local\Temp\EB58.exe
1⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\5793.exe
C:\Users\Admin\AppData\Local\Temp\5793.exe
1⤵
PID:1840

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/292-277-0x00000000024A0000-0x0000000002581000-memory.dmp

Filesize
900KB

Download
memory/292-278-0x0000000000400000-0x0000000000965000-memory.dmp

Filesize
5.4MB

Download
memory/436-275-0x00000000002C0000-0x000000000035D000-memory.dmp

Filesize
628KB

Download
memory/436-276-0x0000000000400000-0x000000000094D000-memory.dmp

Filesize
5.3MB

Download
memory/700-206-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/700-225-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1064-213-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/1116-60-0x0000000075EF1000-0x0000000075EF3000-memory.dmp

Filesize
8KB

Download
memory/1164-184-0x0000000002653000-0x0000000002654000-memory.dmp

Filesize
4KB

Download
memory/1164-180-0x0000000000400000-0x00000000008FE000-memory.dmp

Filesize
5.0MB

Download
memory/1164-188-0x00000000025F0000-0x0000000002609000-memory.dmp

Filesize
100KB

Download
memory/1164-179-0x0000000000240000-0x000000000026F000-memory.dmp

Filesize
188KB

Download
memory/1164-183-0x0000000002652000-0x0000000002653000-memory.dmp

Filesize
4KB

Download
memory/1164-181-0x0000000002651000-0x0000000002652000-memory.dmp

Filesize
4KB

Download
memory/1164-189-0x0000000002654000-0x0000000002656000-memory.dmp

Filesize
8KB

Download
memory/1164-182-0x0000000000980000-0x000000000099B000-memory.dmp

Filesize
108KB

Download
memory/1180-168-0x00000000003E0000-0x00000000003FD000-memory.dmp

Filesize
116KB

Download
memory/1180-173-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/1180-176-0x000000001AE40000-0x000000001AE42000-memory.dmp

Filesize
8KB

Download
memory/1180-157-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1180-167-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1288-208-0x0000000002960000-0x0000000002976000-memory.dmp

Filesize
88KB

Download
memory/1424-271-0x0000000001EE0000-0x0000000001FAE000-memory.dmp

Filesize
824KB

Download
memory/1424-274-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1440-190-0x00000000008B0000-0x00000000008B1000-memory.dmp

Filesize
4KB

Download
memory/1440-177-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1636-192-0x0000000000400000-0x00000000008E5000-memory.dmp

Filesize
4.9MB

Download
memory/1636-191-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1648-194-0x0000000000400000-0x000000000093E000-memory.dmp

Filesize
5.2MB

Download
memory/1648-193-0x0000000000ED0000-0x0000000000F67000-memory.dmp

Filesize
604KB

Download
memory/1720-211-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1772-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1772-131-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1772-92-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1772-129-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1772-125-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1772-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1772-132-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/1772-130-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1772-127-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1772-120-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1772-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1772-128-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2052-221-0x0000000000F50000-0x0000000000F51000-memory.dmp

Filesize
4KB

Download
memory/2052-253-0x00000000007F0000-0x00000000007F1000-memory.dmp

Filesize
4KB

Download
memory/2256-262-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/2260-234-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2260-231-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2260-220-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2272-257-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2272-256-0x00000000002D0000-0x0000000000342000-memory.dmp

Filesize
456KB

Download
memory/2296-247-0x0000000005000000-0x00000000050CD000-memory.dmp

Filesize
820KB

Download
memory/2296-250-0x0000000000400000-0x000000000095D000-memory.dmp

Filesize
5.4MB

Download
memory/2296-245-0x00000000050D0000-0x000000000519F000-memory.dmp

Filesize
828KB

Download
memory/2296-254-0x0000000004FC4000-0x0000000004FC6000-memory.dmp

Filesize
8KB

Download
memory/2296-255-0x00000000010C0000-0x00000000010CB000-memory.dmp

Filesize
44KB

Download
memory/2296-248-0x0000000004FC2000-0x0000000004FC3000-memory.dmp

Filesize
4KB

Download
memory/2296-246-0x0000000000960000-0x00000000009EE000-memory.dmp

Filesize
568KB

Download
memory/2296-252-0x0000000004FC3000-0x0000000004FC4000-memory.dmp

Filesize
4KB

Download
memory/2296-251-0x0000000004FC1000-0x0000000004FC2000-memory.dmp

Filesize
4KB

Download
memory/2348-272-0x0000000000400000-0x0000000000D41000-memory.dmp

Filesize
9.3MB

Download
memory/2348-273-0x0000000002D00000-0x0000000003626000-memory.dmp

Filesize
9.1MB

Download
memory/2388-280-0x00000000002A0000-0x00000000002E4000-memory.dmp

Filesize
272KB

Download
memory/2480-249-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/2480-242-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2768-284-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2784-261-0x0000000000480000-0x0000000000481000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads