plugx | f6c4232e68b8f6b36754cf619f5282d24af7e9a27cca2bbe72121066fb0c3cfd

Analysis

max time kernel
10s
max time network
330s
platform
windows7_x64
resource
win7v20210408
submitted
23-06-2021 21:58

Sharing

Copy URL

Twitter E-mail

Reason

Remote task has failed: Machine shutdown

Report Analysis Logs

General

Target

steup_x86.exe
Size

3.6MB
MD5

05e6fd44959e6258c1e07bd12a4f284f
SHA1

ea21133721033a9fe5da1dfce39f9875f5439ebb
SHA256

4b89b98e5e7b67eac0fb79dbf4ad697cbd79f9fe51b8313accc8d7bfe6a439d2
SHA512

66fac06f167254db8ce4e6e0b34c119f4aff9c3f6d4c9e691fcd82122a7036dc69b1b46967a46c59914a36c7d4241edfd37cb525572c16dcafc95c5cca118cef

Score

10^/10

plugx redline smokeloader vidar test aspackv2 backdoor evasion infostealer stealer trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

test

qurigoraka.xyz:80

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 7 IoCs

resource	yara_rule
behavioral1/memory/900-209-0x0000000000990000-0x00000000009A9000-memory.dmp	family_redline
behavioral1/memory/2116-215-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2116-216-0x0000000000417DBE-mapping.dmp	family_redline
behavioral1/memory/900-205-0x00000000003E0000-0x00000000003FB000-memory.dmp	family_redline
behavioral1/memory/2116-234-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1660-240-0x00000000023E0000-0x00000000023FA000-memory.dmp	family_redline
behavioral1/memory/1660-241-0x00000000025E0000-0x00000000025F9000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/2300-252-0x000000000046B76D-mapping.dmp	Vidar

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00030000000130db-68.dat	aspack_v212_v242
behavioral1/files/0x00030000000130db-70.dat	aspack_v212_v242
behavioral1/files/0x00030000000130db-69.dat	aspack_v212_v242
behavioral1/files/0x00030000000130db-72.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d7-75.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d7-76.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d6-77.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d6-78.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d9-81.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d9-82.dat	aspack_v212_v242
behavioral1/files/0x00030000000130db-85.dat	aspack_v212_v242
behavioral1/files/0x00030000000130db-87.dat	aspack_v212_v242
behavioral1/files/0x00030000000130db-86.dat	aspack_v212_v242
behavioral1/files/0x00030000000130db-84.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
1760	setup_installer.exe
1460	setup_install.exe
964	sotema_1.exe
844	sotema_7.exe
916	sotema_3.exe
1904	sotema_2.exe
904	sotema_5.exe
900	sotema_8.exe
960	sotema_9.exe
2032	sotema_5.tmp

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/2396-231-0x0000000000400000-0x00000000005DE000-memory.dmp	vmprotect

Loads dropped DLL 39 IoCs

pid	Process
1556	steup_x86.exe
1760	setup_installer.exe
1760	setup_installer.exe
1760	setup_installer.exe
1760	setup_installer.exe
1760	setup_installer.exe
1760	setup_installer.exe
1460	setup_install.exe
1460	setup_install.exe
1460	setup_install.exe
1460	setup_install.exe
1460	setup_install.exe
1460	setup_install.exe
1460	setup_install.exe
1460	setup_install.exe
824	cmd.exe
2020	cmd.exe
1276	cmd.exe
1384	cmd.exe
1384	cmd.exe
2020	cmd.exe
1752	cmd.exe
1608	cmd.exe
1608	cmd.exe
964	sotema_1.exe
964	sotema_1.exe
844	sotema_7.exe
844	sotema_7.exe
1904	sotema_2.exe
1904	sotema_2.exe
904	sotema_5.exe
904	sotema_5.exe
900	sotema_8.exe
900	sotema_8.exe
1372	cmd.exe
1372	cmd.exe
960	sotema_9.exe
960	sotema_9.exe
904	sotema_5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
78	ip-api.com
143	api.ipify.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2520	2396	WerFault.exe
812	1596	WerFault.exe	54
1716	112	WerFault.exe	53
2340	2300	WerFault.exe	91
3696	916	WerFault.exe	48

Kills process with taskkill 3 IoCs

evasion

pid	Process
3040	taskkill.exe
3112	taskkill.exe
3144	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 1760	1556	steup_x86.exe	29
PID 1556 wrote to memory of 1760	1556	steup_x86.exe	29
PID 1556 wrote to memory of 1760	1556	steup_x86.exe	29
PID 1556 wrote to memory of 1760	1556	steup_x86.exe	29
PID 1556 wrote to memory of 1760	1556	steup_x86.exe	29
PID 1556 wrote to memory of 1760	1556	steup_x86.exe	29
PID 1556 wrote to memory of 1760	1556	steup_x86.exe	29
PID 1760 wrote to memory of 1460	1760	setup_installer.exe	30
PID 1760 wrote to memory of 1460	1760	setup_installer.exe	30
PID 1760 wrote to memory of 1460	1760	setup_installer.exe	30
PID 1760 wrote to memory of 1460	1760	setup_installer.exe	30
PID 1760 wrote to memory of 1460	1760	setup_installer.exe	30
PID 1760 wrote to memory of 1460	1760	setup_installer.exe	30
PID 1760 wrote to memory of 1460	1760	setup_installer.exe	30
PID 1460 wrote to memory of 824	1460	setup_install.exe	32
PID 1460 wrote to memory of 824	1460	setup_install.exe	32
PID 1460 wrote to memory of 824	1460	setup_install.exe	32
PID 1460 wrote to memory of 824	1460	setup_install.exe	32
PID 1460 wrote to memory of 824	1460	setup_install.exe	32
PID 1460 wrote to memory of 824	1460	setup_install.exe	32
PID 1460 wrote to memory of 824	1460	setup_install.exe	32
PID 1460 wrote to memory of 2020	1460	setup_install.exe	33
PID 1460 wrote to memory of 2020	1460	setup_install.exe	33
PID 1460 wrote to memory of 2020	1460	setup_install.exe	33
PID 1460 wrote to memory of 2020	1460	setup_install.exe	33
PID 1460 wrote to memory of 2020	1460	setup_install.exe	33
PID 1460 wrote to memory of 2020	1460	setup_install.exe	33
PID 1460 wrote to memory of 2020	1460	setup_install.exe	33
PID 1460 wrote to memory of 1384	1460	setup_install.exe	34
PID 1460 wrote to memory of 1384	1460	setup_install.exe	34
PID 1460 wrote to memory of 1384	1460	setup_install.exe	34
PID 1460 wrote to memory of 1384	1460	setup_install.exe	34
PID 1460 wrote to memory of 1384	1460	setup_install.exe	34
PID 1460 wrote to memory of 1384	1460	setup_install.exe	34
PID 1460 wrote to memory of 1384	1460	setup_install.exe	34
PID 1460 wrote to memory of 1496	1460	setup_install.exe	35
PID 1460 wrote to memory of 1496	1460	setup_install.exe	35
PID 1460 wrote to memory of 1496	1460	setup_install.exe	35
PID 1460 wrote to memory of 1496	1460	setup_install.exe	35
PID 1460 wrote to memory of 1496	1460	setup_install.exe	35
PID 1460 wrote to memory of 1496	1460	setup_install.exe	35
PID 1460 wrote to memory of 1496	1460	setup_install.exe	35
PID 1460 wrote to memory of 1752	1460	setup_install.exe	36
PID 1460 wrote to memory of 1752	1460	setup_install.exe	36
PID 1460 wrote to memory of 1752	1460	setup_install.exe	36
PID 1460 wrote to memory of 1752	1460	setup_install.exe	36
PID 1460 wrote to memory of 1752	1460	setup_install.exe	36
PID 1460 wrote to memory of 1752	1460	setup_install.exe	36
PID 1460 wrote to memory of 1752	1460	setup_install.exe	36
PID 1460 wrote to memory of 1348	1460	setup_install.exe	42
PID 1460 wrote to memory of 1348	1460	setup_install.exe	42
PID 1460 wrote to memory of 1348	1460	setup_install.exe	42
PID 1460 wrote to memory of 1348	1460	setup_install.exe	42
PID 1460 wrote to memory of 1348	1460	setup_install.exe	42
PID 1460 wrote to memory of 1348	1460	setup_install.exe	42
PID 1460 wrote to memory of 1348	1460	setup_install.exe	42
PID 1460 wrote to memory of 1276	1460	setup_install.exe	37
PID 1460 wrote to memory of 1276	1460	setup_install.exe	37
PID 1460 wrote to memory of 1276	1460	setup_install.exe	37
PID 1460 wrote to memory of 1276	1460	setup_install.exe	37
PID 1460 wrote to memory of 1276	1460	setup_install.exe	37
PID 1460 wrote to memory of 1276	1460	setup_install.exe	37
PID 1460 wrote to memory of 1276	1460	setup_install.exe	37
PID 1460 wrote to memory of 1608	1460	setup_install.exe	38

C:\Users\Admin\AppData\Local\Temp\steup_x86.exe
"C:\Users\Admin\AppData\Local\Temp\steup_x86.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1460
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_1.exe
      4⤵
      Loads dropped DLL
      PID:824
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\sotema_1.exe
        
        sotema_1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:964
      - C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
        6⤵
        
        PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_2.exe
      4⤵
      Loads dropped DLL
      PID:2020
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\sotema_2.exe
        
        sotema_2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_3.exe
      4⤵
      Loads dropped DLL
      PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\sotema_3.exe
        
        sotema_3.exe
        5⤵
        Executes dropped EXE
        
        PID:916
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 916 -s 972
        6⤵
        Program crash
        
        PID:3696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_4.exe
      4⤵
      PID:1496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_5.exe
      4⤵
      Loads dropped DLL
      PID:1752
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\sotema_5.exe
        
        sotema_5.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_7.exe
      4⤵
      Loads dropped DLL
      PID:1276
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\sotema_7.exe
        
        sotema_7.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:844
      - C:\Users\Admin\Documents\yz0sLe9NrKOCmDvgE7QL_Y_w.exe
        
        "C:\Users\Admin\Documents\yz0sLe9NrKOCmDvgE7QL_Y_w.exe"
        6⤵
        
        PID:1456
      - C:\Users\Admin\Documents\TnqN_n51ZseW3gD42NDTGLOJ.exe
        
        "C:\Users\Admin\Documents\TnqN_n51ZseW3gD42NDTGLOJ.exe"
        6⤵
        
        PID:112
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 112 -s 956
        7⤵
        Program crash
        
        PID:1716
      - C:\Users\Admin\Documents\6hPOv4jJdfy0FjBWchpDpvR5.exe
        
        "C:\Users\Admin\Documents\6hPOv4jJdfy0FjBWchpDpvR5.exe"
        6⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 924
        7⤵
        Program crash
        
        PID:812
      - C:\Users\Admin\Documents\sBgiNSUCNKYroH4QItqd_ZqH.exe
        
        "C:\Users\Admin\Documents\sBgiNSUCNKYroH4QItqd_ZqH.exe"
        6⤵
        
        PID:328
        
        C:\Users\Admin\Documents\sBgiNSUCNKYroH4QItqd_ZqH.exe
        
        "C:\Users\Admin\Documents\sBgiNSUCNKYroH4QItqd_ZqH.exe"
        7⤵
        
        PID:2252
      - C:\Users\Admin\Documents\nt8BGDFIPbMdHYr7uVWgZfmk.exe
        
        "C:\Users\Admin\Documents\nt8BGDFIPbMdHYr7uVWgZfmk.exe"
        6⤵
        
        PID:580
        
        C:\Users\Admin\Documents\nt8BGDFIPbMdHYr7uVWgZfmk.exe
        
        C:\Users\Admin\Documents\nt8BGDFIPbMdHYr7uVWgZfmk.exe
        7⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 960
        8⤵
        Program crash
        
        PID:2340
      - C:\Users\Admin\Documents\9LKVUPscsQiRDIeiT4vu0DcD.exe
        
        "C:\Users\Admin\Documents\9LKVUPscsQiRDIeiT4vu0DcD.exe"
        6⤵
        
        PID:1144
      - C:\Users\Admin\Documents\lPpxZyIsiAIiwQBcAsTuDlTh.exe
        
        "C:\Users\Admin\Documents\lPpxZyIsiAIiwQBcAsTuDlTh.exe"
        6⤵
        
        PID:1660
      - C:\Users\Admin\Documents\ujJDLzjU95FKHG6X77ZRVOyk.exe
        
        "C:\Users\Admin\Documents\ujJDLzjU95FKHG6X77ZRVOyk.exe"
        6⤵
        
        PID:2144
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        7⤵
        
        PID:2636
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe"
        8⤵
        
        PID:1188
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1188.0.1079577677\733618022" -parentBuildID 20200403170909 -prefsHandle 1104 -prefMapHandle 1096 -prefsLen 1 -prefMapSize 218938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1188 "\\.\pipe\gecko-crash-server-pipe.1188" 1188 gpu
        9⤵
        
        PID:1664
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1188.3.187410694\1821544836" -childID 1 -isForBrowser -prefsHandle 4608 -prefMapHandle 4604 -prefsLen 156 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1188 "\\.\pipe\gecko-crash-server-pipe.1188" 4620 tab
        9⤵
        
        PID:3332
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1188.13.1083133509\1974651847" -childID 2 -isForBrowser -prefsHandle 3700 -prefMapHandle 3720 -prefsLen 7589 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1188 "\\.\pipe\gecko-crash-server-pipe.1188" 3688 tab
        9⤵
        
        PID:3716
        
        C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1188.20.707378532\400272915" -childID 3 -isForBrowser -prefsHandle 2976 -prefMapHandle 2968 -prefsLen 8598 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 1188 "\\.\pipe\gecko-crash-server-pipe.1188" 2936 tab
        9⤵
        
        PID:3908
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe"
        7⤵
        
        PID:2676
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef60d4f50,0x7fef60d4f60,0x7fef60d4f70
        8⤵
        
        PID:2992
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,15353873070611930681,15144655370722232155,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1340 /prefetch:8
        8⤵
        
        PID:3232
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,15353873070611930681,15144655370722232155,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1064 /prefetch:2
        8⤵
        
        PID:3212
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1052,15353873070611930681,15144655370722232155,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1660 /prefetch:8
        8⤵
        
        PID:1000
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,15353873070611930681,15144655370722232155,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
        8⤵
        
        PID:2612
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,15353873070611930681,15144655370722232155,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2008 /prefetch:1
        8⤵
        
        PID:3704
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,15353873070611930681,15144655370722232155,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2532 /prefetch:1
        8⤵
        
        PID:4068
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,15353873070611930681,15144655370722232155,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:1
        8⤵
        
        PID:4004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,15353873070611930681,15144655370722232155,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1
        8⤵
        
        PID:3900
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,15353873070611930681,15144655370722232155,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2356 /prefetch:1
        8⤵
        
        PID:3896
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,15353873070611930681,15144655370722232155,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2364 /prefetch:2
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 2144 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ujJDLzjU95FKHG6X77ZRVOyk.exe"
        7⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C taskkill /F /PID 2144 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\ujJDLzjU95FKHG6X77ZRVOyk.exe"
        7⤵
        
        PID:2716
      - C:\Users\Admin\Documents\FNoyroN8qKSGMXFVxLk7dob_.exe
        
        "C:\Users\Admin\Documents\FNoyroN8qKSGMXFVxLk7dob_.exe"
        6⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\39212279920.exe"
        7⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\39212279920.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\39212279920.exe"
        8⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\39212279920.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\39212279920.exe"
        9⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\1624492662946.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1624492662946.exe"
        10⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\25494078009.exe" /mix
        7⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\25494078009.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\25494078009.exe" /mix
        8⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\60730660079.exe" /mix
        7⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\60730660079.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{WwoZ-7IIj7-0Z4Y-BMs2Y}\60730660079.exe" /mix
        8⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Roaming\nailedp\edspolishpp.exe
        
        edspolishpp.exe
        9⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "FNoyroN8qKSGMXFVxLk7dob_.exe" /f & erase "C:\Users\Admin\Documents\FNoyroN8qKSGMXFVxLk7dob_.exe" & exit
        7⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "FNoyroN8qKSGMXFVxLk7dob_.exe" /f
        8⤵
        Kills process with taskkill
        
        PID:3040
      - C:\Users\Admin\Documents\_r9mnMv_nREPMspqVNtZ84pW.exe
        
        "C:\Users\Admin\Documents\_r9mnMv_nREPMspqVNtZ84pW.exe"
        6⤵
        
        PID:2184
        
        C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        7⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:2360
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        7⤵
        
        PID:2396
        
        C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
        7⤵
        
        PID:2364
        
        C:\Program Files (x86)\Company\NewProduct\file4.exe
        
        "C:\Program Files (x86)\Company\NewProduct\file4.exe"
        7⤵
        
        PID:2308
      - C:\Users\Admin\Documents\hEa12QKXgKRIAEQkogm7yFz6.exe
        
        "C:\Users\Admin\Documents\hEa12QKXgKRIAEQkogm7yFz6.exe"
        6⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:2052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_8.exe
      4⤵
      Loads dropped DLL
      PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\sotema_8.exe
        
        sotema_8.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_9.exe
      4⤵
      Loads dropped DLL
      PID:1372
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\sotema_9.exe
        
        sotema_9.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:960
      - C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\sotema_9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\sotema_9.exe
        6⤵
        
        PID:2116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sotema_6.exe
      4⤵
      PID:1348

C:\Users\Admin\AppData\Local\Temp\is-BNRI9.tmp\sotema_5.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BNRI9.tmp\sotema_5.tmp" /SL5="$4012C,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS0E63B445\sotema_5.exe"
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:1892

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl
1⤵
PID:2608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 292
1⤵
- Program crash
PID:2520

C:\Users\Admin\AppData\Local\Temp\9618.exe
C:\Users\Admin\AppData\Local\Temp\9618.exe
1⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\CCA3.exe
C:\Users\Admin\AppData\Local\Temp\CCA3.exe
1⤵
PID:2268

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2144
1⤵
- Kills process with taskkill
PID:3112

C:\Windows\SysWOW64\taskkill.exe
taskkill /F /PID 2144
1⤵
- Kills process with taskkill
PID:3144

C:\Users\Admin\AppData\Local\Temp\4405.exe
C:\Users\Admin\AppData\Local\Temp\4405.exe
1⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\4721.exe
C:\Users\Admin\AppData\Local\Temp\4721.exe
1⤵
PID:2088

C:\Windows\system32\taskeng.exe
taskeng.exe {FC0BC33A-B915-44D7-8D7C-6551A4580090} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:3148
- C:\Users\Admin\AppData\Roaming\bajbche
  C:\Users\Admin\AppData\Roaming\bajbche
  2⤵
  PID:2280
- C:\Users\Admin\AppData\Roaming\itjbche
  C:\Users\Admin\AppData\Roaming\itjbche
  2⤵
  PID:3212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-243-0x00000000003E0000-0x00000000003FF000-memory.dmp

Filesize
124KB

Download
memory/580-202-0x00000000011E0000-0x00000000011E1000-memory.dmp

Filesize
4KB

Download
memory/752-183-0x0000000000CB0000-0x0000000000DB1000-memory.dmp

Filesize
1.0MB

Download
memory/900-205-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/900-209-0x0000000000990000-0x00000000009A9000-memory.dmp

Filesize
100KB

Download
memory/904-162-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/960-177-0x0000000000A10000-0x0000000000A11000-memory.dmp

Filesize
4KB

Download
memory/1144-200-0x0000000001100000-0x0000000001101000-memory.dmp

Filesize
4KB

Download
memory/1224-186-0x0000000002BA0000-0x0000000002BB6000-memory.dmp

Filesize
88KB

Download
memory/1456-204-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1460-116-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1460-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1460-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1460-114-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1460-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1460-122-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1460-101-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1460-119-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1460-91-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1460-111-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1460-103-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1460-106-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1556-59-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/1660-241-0x00000000025E0000-0x00000000025F9000-memory.dmp

Filesize
100KB

Download
memory/1660-240-0x00000000023E0000-0x00000000023FA000-memory.dmp

Filesize
104KB

Download
memory/1904-178-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/1904-179-0x0000000000400000-0x00000000008E4000-memory.dmp

Filesize
4.9MB

Download
memory/2032-176-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2116-234-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2116-215-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2252-220-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2396-231-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads