redline | 6b1901a0869ace34caf5f28585e7b47df631708b16a55e4c9c0f4be765bbbaef

Analysis

max time kernel
89s
max time network
191s
platform
windows7_x64
resource
win7v20210408
submitted
25-06-2021 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1D5236140D1ED290E2EE8764CC9D9B30.exe
Size

3.2MB
MD5

1d5236140d1ed290e2ee8764cc9d9b30
SHA1

79e8dc84460d2effb2767c21fa095addf3039477
SHA256

6b1901a0869ace34caf5f28585e7b47df631708b16a55e4c9c0f4be765bbbaef
SHA512

7a39f2a389a54e5e4e585b4e754b09afd6d32000437bf8d0334f689688ebea1e1dbbf181a6d5807bcc5668b76b3406ea35440747135d9b9cab6c2c023555b93c

Score

10^/10

redline vidar 25_6_r 706 cana servani aspackv2 evasion infostealer stealer trojan

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

706

https://sergeevih43.tumblr.com

Attributes

profile_id
706

Extracted

Family

redline

Botnet

Cana

176.111.174.254:56328

Extracted

Family

redline

Botnet

ServAni

87.251.71.195:82

Extracted

Family

redline

Botnet

25_6_r

rdanoriran.xyz:80

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 8 IoCs

resource	yara_rule
behavioral1/memory/1720-156-0x00000000003E0000-0x00000000003FB000-memory.dmp	family_redline
behavioral1/memory/1720-159-0x0000000000AB0000-0x0000000000AC9000-memory.dmp	family_redline
behavioral1/memory/1116-166-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/1116-167-0x0000000000417F26-mapping.dmp	family_redline
behavioral1/memory/1116-172-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2352-212-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2352-214-0x0000000000417E2A-mapping.dmp	family_redline
behavioral1/memory/2352-217-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/1468-155-0x0000000000400000-0x00000000004BC000-memory.dmp	family_vidar

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00030000000130da-68.dat	aspack_v212_v242
behavioral1/files/0x00030000000130da-69.dat	aspack_v212_v242
behavioral1/files/0x00030000000130da-70.dat	aspack_v212_v242
behavioral1/files/0x00030000000130da-72.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d6-75.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d6-76.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d5-77.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d5-78.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d8-81.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d8-82.dat	aspack_v212_v242
behavioral1/files/0x00030000000130da-84.dat	aspack_v212_v242
behavioral1/files/0x00030000000130da-87.dat	aspack_v212_v242
behavioral1/files/0x00030000000130da-86.dat	aspack_v212_v242
behavioral1/files/0x00030000000130da-85.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 20 IoCs

pid	Process
324	setup_installer.exe
752	setup_install.exe
1468	arnatic_1.exe
1512	arnatic_5.exe
1716	arnatic_3.exe
1352	arnatic_6.exe
1720	arnatic_7.exe
1116	arnatic_6.exe
1608	oc2AJHYBUQnxNKwM1lTGxti1.exe
1680	cwB2EH4nFZhIVk2DxrJIGysU.exe
568	5TE7jclWH_hL7U5WCdnbzyhZ.exe
304	Ldiitr_4Fckv1VIDLMFjrh4l.exe
1712	kjMkB1HViyztTnaYMLVjPQm3.exe
2068	Fqo8w0FvxlcjOXNlrvtP9sp_.exe
1144	XpogLeuNyhT3ikelWCvFbN7W.exe
1684	T7uurFgz1o83Ej3ZxaMz2KWJ.exe
2056	Bm3oM3kU5xGuoUKVp6xM1DvT.exe
2108	Y67aSvaVceipa1aDigTJ9tH3.exe
2096	BLdqYBcGg097BfYwWUkBuI6s.exe
2156	qG8pj_9LzlMe5ZWNxWGCB3x5.exe

Loads dropped DLL 64 IoCs

pid	Process
1984	1D5236140D1ED290E2EE8764CC9D9B30.exe
324	setup_installer.exe
324	setup_installer.exe
324	setup_installer.exe
324	setup_installer.exe
324	setup_installer.exe
324	setup_installer.exe
752	setup_install.exe
752	setup_install.exe
752	setup_install.exe
752	setup_install.exe
752	setup_install.exe
752	setup_install.exe
752	setup_install.exe
752	setup_install.exe
824	cmd.exe
824	cmd.exe
428	cmd.exe
764	cmd.exe
1468	arnatic_1.exe
1468	arnatic_1.exe
1256	cmd.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1256	cmd.exe
812	cmd.exe
812	cmd.exe
1720	arnatic_7.exe
1720	arnatic_7.exe
1352	arnatic_6.exe
1352	arnatic_6.exe
1352	arnatic_6.exe
1116	arnatic_6.exe
1116	arnatic_6.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1608	oc2AJHYBUQnxNKwM1lTGxti1.exe
1608	oc2AJHYBUQnxNKwM1lTGxti1.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
1512	arnatic_5.exe
2156	qG8pj_9LzlMe5ZWNxWGCB3x5.exe
2156	qG8pj_9LzlMe5ZWNxWGCB3x5.exe
1680	cwB2EH4nFZhIVk2DxrJIGysU.exe
1680	cwB2EH4nFZhIVk2DxrJIGysU.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	ipinfo.io
6	ipinfo.io
82	ip-api.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1352 set thread context of 1116	1352	arnatic_6.exe	45

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2388	1468	WerFault.exe	36

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	arnatic_5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	arnatic_1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	arnatic_1.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	arnatic_1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	arnatic_5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	arnatic_5.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1352	arnatic_6.exe
Token: SeDebugPrivilege	1720	arnatic_7.exe
Token: SeDebugPrivilege	1116	arnatic_6.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 324	1984	1D5236140D1ED290E2EE8764CC9D9B30.exe	29
PID 1984 wrote to memory of 324	1984	1D5236140D1ED290E2EE8764CC9D9B30.exe	29
PID 1984 wrote to memory of 324	1984	1D5236140D1ED290E2EE8764CC9D9B30.exe	29
PID 1984 wrote to memory of 324	1984	1D5236140D1ED290E2EE8764CC9D9B30.exe	29
PID 1984 wrote to memory of 324	1984	1D5236140D1ED290E2EE8764CC9D9B30.exe	29
PID 1984 wrote to memory of 324	1984	1D5236140D1ED290E2EE8764CC9D9B30.exe	29
PID 1984 wrote to memory of 324	1984	1D5236140D1ED290E2EE8764CC9D9B30.exe	29
PID 324 wrote to memory of 752	324	setup_installer.exe	30
PID 324 wrote to memory of 752	324	setup_installer.exe	30
PID 324 wrote to memory of 752	324	setup_installer.exe	30
PID 324 wrote to memory of 752	324	setup_installer.exe	30
PID 324 wrote to memory of 752	324	setup_installer.exe	30
PID 324 wrote to memory of 752	324	setup_installer.exe	30
PID 324 wrote to memory of 752	324	setup_installer.exe	30
PID 752 wrote to memory of 824	752	setup_install.exe	32
PID 752 wrote to memory of 824	752	setup_install.exe	32
PID 752 wrote to memory of 824	752	setup_install.exe	32
PID 752 wrote to memory of 824	752	setup_install.exe	32
PID 752 wrote to memory of 824	752	setup_install.exe	32
PID 752 wrote to memory of 824	752	setup_install.exe	32
PID 752 wrote to memory of 824	752	setup_install.exe	32
PID 752 wrote to memory of 1992	752	setup_install.exe	33
PID 752 wrote to memory of 1992	752	setup_install.exe	33
PID 752 wrote to memory of 1992	752	setup_install.exe	33
PID 752 wrote to memory of 1992	752	setup_install.exe	33
PID 752 wrote to memory of 1992	752	setup_install.exe	33
PID 752 wrote to memory of 1992	752	setup_install.exe	33
PID 752 wrote to memory of 1992	752	setup_install.exe	33
PID 752 wrote to memory of 428	752	setup_install.exe	43
PID 752 wrote to memory of 428	752	setup_install.exe	43
PID 752 wrote to memory of 428	752	setup_install.exe	43
PID 752 wrote to memory of 428	752	setup_install.exe	43
PID 752 wrote to memory of 428	752	setup_install.exe	43
PID 752 wrote to memory of 428	752	setup_install.exe	43
PID 752 wrote to memory of 428	752	setup_install.exe	43
PID 752 wrote to memory of 328	752	setup_install.exe	34
PID 752 wrote to memory of 328	752	setup_install.exe	34
PID 752 wrote to memory of 328	752	setup_install.exe	34
PID 752 wrote to memory of 328	752	setup_install.exe	34
PID 752 wrote to memory of 328	752	setup_install.exe	34
PID 752 wrote to memory of 328	752	setup_install.exe	34
PID 752 wrote to memory of 328	752	setup_install.exe	34
PID 752 wrote to memory of 764	752	setup_install.exe	42
PID 752 wrote to memory of 764	752	setup_install.exe	42
PID 752 wrote to memory of 764	752	setup_install.exe	42
PID 752 wrote to memory of 764	752	setup_install.exe	42
PID 752 wrote to memory of 764	752	setup_install.exe	42
PID 752 wrote to memory of 764	752	setup_install.exe	42
PID 752 wrote to memory of 764	752	setup_install.exe	42
PID 752 wrote to memory of 1256	752	setup_install.exe	41
PID 752 wrote to memory of 1256	752	setup_install.exe	41
PID 752 wrote to memory of 1256	752	setup_install.exe	41
PID 752 wrote to memory of 1256	752	setup_install.exe	41
PID 752 wrote to memory of 1256	752	setup_install.exe	41
PID 752 wrote to memory of 1256	752	setup_install.exe	41
PID 752 wrote to memory of 1256	752	setup_install.exe	41
PID 752 wrote to memory of 812	752	setup_install.exe	35
PID 752 wrote to memory of 812	752	setup_install.exe	35
PID 752 wrote to memory of 812	752	setup_install.exe	35
PID 752 wrote to memory of 812	752	setup_install.exe	35
PID 752 wrote to memory of 812	752	setup_install.exe	35
PID 752 wrote to memory of 812	752	setup_install.exe	35
PID 752 wrote to memory of 812	752	setup_install.exe	35
PID 824 wrote to memory of 1468	824	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\1D5236140D1ED290E2EE8764CC9D9B30.exe
"C:\Users\Admin\AppData\Local\Temp\1D5236140D1ED290E2EE8764CC9D9B30.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:324
- - C:\Users\Admin\AppData\Local\Temp\7zS441EC325\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS441EC325\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_1.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Users\Admin\AppData\Local\Temp\7zS441EC325\arnatic_1.exe
        
        arnatic_1.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1468
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 892
        6⤵
        Program crash
        
        PID:2388
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_2.exe
      4⤵
      PID:1992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_4.exe
      4⤵
      PID:328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_7.exe
      4⤵
      Loads dropped DLL
      PID:812
    - - C:\Users\Admin\AppData\Local\Temp\7zS441EC325\arnatic_7.exe
        
        arnatic_7.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_6.exe
      4⤵
      Loads dropped DLL
      PID:1256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_5.exe
      4⤵
      Loads dropped DLL
      PID:764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_3.exe
      4⤵
      Loads dropped DLL
      PID:428

C:\Users\Admin\AppData\Local\Temp\7zS441EC325\arnatic_3.exe
arnatic_3.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Users\Admin\AppData\Local\Temp\7zS441EC325\arnatic_5.exe
arnatic_5.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
PID:1512
- C:\Users\Admin\Documents\oc2AJHYBUQnxNKwM1lTGxti1.exe
  "C:\Users\Admin\Documents\oc2AJHYBUQnxNKwM1lTGxti1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1608
- C:\Users\Admin\Documents\IL0scNtc6mz2HRKlFpOUgSvQ.exe
  "C:\Users\Admin\Documents\IL0scNtc6mz2HRKlFpOUgSvQ.exe"
  2⤵
  PID:940
- C:\Users\Admin\Documents\Ldiitr_4Fckv1VIDLMFjrh4l.exe
  "C:\Users\Admin\Documents\Ldiitr_4Fckv1VIDLMFjrh4l.exe"
  2⤵
  - Executes dropped EXE
  PID:304
- C:\Users\Admin\Documents\5TE7jclWH_hL7U5WCdnbzyhZ.exe
  "C:\Users\Admin\Documents\5TE7jclWH_hL7U5WCdnbzyhZ.exe"
  2⤵
  - Executes dropped EXE
  PID:568
- C:\Users\Admin\Documents\Fqo8w0FvxlcjOXNlrvtP9sp_.exe
  "C:\Users\Admin\Documents\Fqo8w0FvxlcjOXNlrvtP9sp_.exe"
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Users\Admin\Documents\Bm3oM3kU5xGuoUKVp6xM1DvT.exe
  "C:\Users\Admin\Documents\Bm3oM3kU5xGuoUKVp6xM1DvT.exe"
  2⤵
  - Executes dropped EXE
  PID:2056
- C:\Users\Admin\Documents\XpogLeuNyhT3ikelWCvFbN7W.exe
  "C:\Users\Admin\Documents\XpogLeuNyhT3ikelWCvFbN7W.exe"
  2⤵
  - Executes dropped EXE
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
    3⤵
    PID:2492
- C:\Users\Admin\Documents\kjMkB1HViyztTnaYMLVjPQm3.exe
  "C:\Users\Admin\Documents\kjMkB1HViyztTnaYMLVjPQm3.exe"
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Users\Admin\Documents\T7uurFgz1o83Ej3ZxaMz2KWJ.exe
  "C:\Users\Admin\Documents\T7uurFgz1o83Ej3ZxaMz2KWJ.exe"
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Users\Admin\Documents\W5BXjsbxqO0lf5pUyESm1llj.exe
  "C:\Users\Admin\Documents\W5BXjsbxqO0lf5pUyESm1llj.exe"
  2⤵
  PID:1988
- C:\Users\Admin\Documents\cwB2EH4nFZhIVk2DxrJIGysU.exe
  "C:\Users\Admin\Documents\cwB2EH4nFZhIVk2DxrJIGysU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1680
- - C:\Users\Admin\Documents\cwB2EH4nFZhIVk2DxrJIGysU.exe
    C:\Users\Admin\Documents\cwB2EH4nFZhIVk2DxrJIGysU.exe
    3⤵
    PID:2352
- C:\Users\Admin\Documents\Y67aSvaVceipa1aDigTJ9tH3.exe
  "C:\Users\Admin\Documents\Y67aSvaVceipa1aDigTJ9tH3.exe"
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Users\Admin\Documents\BLdqYBcGg097BfYwWUkBuI6s.exe
  "C:\Users\Admin\Documents\BLdqYBcGg097BfYwWUkBuI6s.exe"
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Users\Admin\Documents\PurClgjhVB7ki9M8mCgmdSvI.exe
  "C:\Users\Admin\Documents\PurClgjhVB7ki9M8mCgmdSvI.exe"
  2⤵
  PID:2088
- C:\Users\Admin\Documents\qG8pj_9LzlMe5ZWNxWGCB3x5.exe
  "C:\Users\Admin\Documents\qG8pj_9LzlMe5ZWNxWGCB3x5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2156

C:\Users\Admin\AppData\Local\Temp\7zS441EC325\arnatic_6.exe
arnatic_6.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1352
- C:\Users\Admin\AppData\Local\Temp\7zS441EC325\arnatic_6.exe
  C:\Users\Admin\AppData\Local\Temp\7zS441EC325\arnatic_6.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1116

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-111-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/752-92-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/752-101-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/752-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/752-106-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/752-115-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/752-91-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/752-116-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/752-93-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/752-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/752-103-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/752-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1116-166-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1116-174-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1116-172-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1352-157-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/1352-164-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1468-152-0x0000000000230000-0x00000000002EC000-memory.dmp

Filesize
752KB

Download
memory/1468-155-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1680-210-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/1720-154-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/1720-161-0x00000000048F2000-0x00000000048F3000-memory.dmp

Filesize
4KB

Download
memory/1720-156-0x00000000003E0000-0x00000000003FB000-memory.dmp

Filesize
108KB

Download
memory/1720-162-0x00000000048F3000-0x00000000048F4000-memory.dmp

Filesize
4KB

Download
memory/1720-159-0x0000000000AB0000-0x0000000000AC9000-memory.dmp

Filesize
100KB

Download
memory/1720-165-0x00000000048F4000-0x00000000048F6000-memory.dmp

Filesize
8KB

Download
memory/1720-160-0x00000000048F1000-0x00000000048F2000-memory.dmp

Filesize
4KB

Download
memory/1720-153-0x0000000000230000-0x00000000002A9000-memory.dmp

Filesize
484KB

Download
memory/1984-59-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/2352-212-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2352-217-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2352-221-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads