plugx | b244fb7a7b39c836a9629262eaa80865cfbaf37aaea1b1d4b880d8a864f865a4

Target

setup_x86_x64_install - копия (10).exe
Size

3.2MB
MD5

3ae1c212119919e5fce71247286f8e0e
SHA1

97c1890ab73c539056f95eafede319df774e9d38
SHA256

30c2f230e5401b4b1ea8fb425dadf4e453575884303b9fa2066e6a91859f016e
SHA512

5bb28a775c10b8b68b8c448d64287ca732d0af5577ecc4348a89934358440bb4ff6958115f14ecbabb0446d234d6f621afa3419daa4aec6c03c0af9b6a3b1558

Score

10^/10

plugx redline smokeloader vidar 02_07_r proliv_02.06.2021 servani aspackv2 backdoor evasion infostealer stealer trojan upx

Malware Config

Extracted

Family

redline

Botnet

ServAni

87.251.71.195:82

Extracted

Family

smokeloader

Version

2020

http://ppcspb.com/upload/

http://mebbing.com/upload/

http://twcamel.com/upload/

http://howdycash.com/upload/

http://lahuertasonora.com/upload/

http://kpotiques.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

02_07_r

rdanoriran.xyz:80

Extracted

Family

redline

Botnet

PROLIV_02.06.2021

45.144.29.182:19066

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 9 IoCs

resource	yara_rule
behavioral1/memory/2040-165-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2040-166-0x0000000000417F26-mapping.dmp	family_redline
behavioral1/memory/2040-183-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2408-225-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2408-226-0x0000000000417E3A-mapping.dmp	family_redline
behavioral1/memory/2408-228-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2396-232-0x0000000000417E6A-mapping.dmp	family_redline
behavioral1/memory/2396-230-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral1/memory/2396-236-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/memory/2108-234-0x0000000000400000-0x000000000442B000-memory.dmp	Vidar
behavioral1/memory/2088-235-0x0000000000400000-0x0000000004429000-memory.dmp	Vidar

ASPack v2.12-2.42 14 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000300000001315c-69.dat	aspack_v212_v242
behavioral1/files/0x000300000001315c-70.dat	aspack_v212_v242
behavioral1/files/0x000300000001315c-71.dat	aspack_v212_v242
behavioral1/files/0x000300000001315c-73.dat	aspack_v212_v242
behavioral1/files/0x0003000000013158-74.dat	aspack_v212_v242
behavioral1/files/0x0003000000013158-75.dat	aspack_v212_v242
behavioral1/files/0x0003000000013157-76.dat	aspack_v212_v242
behavioral1/files/0x0003000000013157-77.dat	aspack_v212_v242
behavioral1/files/0x000300000001315a-83.dat	aspack_v212_v242
behavioral1/files/0x000300000001315a-82.dat	aspack_v212_v242
behavioral1/files/0x000300000001315c-85.dat	aspack_v212_v242
behavioral1/files/0x000300000001315c-87.dat	aspack_v212_v242
behavioral1/files/0x000300000001315c-86.dat	aspack_v212_v242
behavioral1/files/0x000300000001315c-88.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
1196	setup_installer.exe
612	setup_install.exe
1864	arnatic_2.exe
1724	arnatic_3.exe
1604	arnatic_5.exe
1708	arnatic_7.exe
748	arnatic_4.exe
1304	arnatic_6.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0003000000013172-179.dat	upx

Loads dropped DLL 34 IoCs

pid	Process
752	setup_x86_x64_install - копия (10).exe
1196	setup_installer.exe
1196	setup_installer.exe
1196	setup_installer.exe
1196	setup_installer.exe
1196	setup_installer.exe
1196	setup_installer.exe
612	setup_install.exe
612	setup_install.exe
612	setup_install.exe
612	setup_install.exe
612	setup_install.exe
612	setup_install.exe
612	setup_install.exe
612	setup_install.exe
1044	cmd.exe
1044	cmd.exe
1864	arnatic_2.exe
1864	arnatic_2.exe
1216	cmd.exe
904	cmd.exe
1560	cmd.exe
1560	cmd.exe
560	cmd.exe
592	cmd.exe
1724	arnatic_3.exe
1724	arnatic_3.exe
1708	arnatic_7.exe
1708	arnatic_7.exe
748	arnatic_4.exe
748	arnatic_4.exe
1304	arnatic_6.exe
1304	arnatic_6.exe
1708	arnatic_7.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	ip-api.com
22	ipinfo.io
23	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3056	2108	WerFault.exe	58
1684	2088	WerFault.exe	60
2972	2208	WerFault.exe	78
3136	2700	WerFault.exe	89

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1196	752	setup_x86_x64_install - копия (10).exe	28
PID 752 wrote to memory of 1196	752	setup_x86_x64_install - копия (10).exe	28
PID 752 wrote to memory of 1196	752	setup_x86_x64_install - копия (10).exe	28
PID 752 wrote to memory of 1196	752	setup_x86_x64_install - копия (10).exe	28
PID 752 wrote to memory of 1196	752	setup_x86_x64_install - копия (10).exe	28
PID 752 wrote to memory of 1196	752	setup_x86_x64_install - копия (10).exe	28
PID 752 wrote to memory of 1196	752	setup_x86_x64_install - копия (10).exe	28
PID 1196 wrote to memory of 612	1196	setup_installer.exe	30
PID 1196 wrote to memory of 612	1196	setup_installer.exe	30
PID 1196 wrote to memory of 612	1196	setup_installer.exe	30
PID 1196 wrote to memory of 612	1196	setup_installer.exe	30
PID 1196 wrote to memory of 612	1196	setup_installer.exe	30
PID 1196 wrote to memory of 612	1196	setup_installer.exe	30
PID 1196 wrote to memory of 612	1196	setup_installer.exe	30
PID 612 wrote to memory of 1340	612	setup_install.exe	32
PID 612 wrote to memory of 1340	612	setup_install.exe	32
PID 612 wrote to memory of 1340	612	setup_install.exe	32
PID 612 wrote to memory of 1340	612	setup_install.exe	32
PID 612 wrote to memory of 1340	612	setup_install.exe	32
PID 612 wrote to memory of 1340	612	setup_install.exe	32
PID 612 wrote to memory of 1340	612	setup_install.exe	32
PID 612 wrote to memory of 1044	612	setup_install.exe	33
PID 612 wrote to memory of 1044	612	setup_install.exe	33
PID 612 wrote to memory of 1044	612	setup_install.exe	33
PID 612 wrote to memory of 1044	612	setup_install.exe	33
PID 612 wrote to memory of 1044	612	setup_install.exe	33
PID 612 wrote to memory of 1044	612	setup_install.exe	33
PID 612 wrote to memory of 1044	612	setup_install.exe	33
PID 612 wrote to memory of 1216	612	setup_install.exe	36
PID 612 wrote to memory of 1216	612	setup_install.exe	36
PID 612 wrote to memory of 1216	612	setup_install.exe	36
PID 612 wrote to memory of 1216	612	setup_install.exe	36
PID 612 wrote to memory of 1216	612	setup_install.exe	36
PID 612 wrote to memory of 1216	612	setup_install.exe	36
PID 612 wrote to memory of 1216	612	setup_install.exe	36
PID 612 wrote to memory of 560	612	setup_install.exe	34
PID 612 wrote to memory of 560	612	setup_install.exe	34
PID 612 wrote to memory of 560	612	setup_install.exe	34
PID 612 wrote to memory of 560	612	setup_install.exe	34
PID 612 wrote to memory of 560	612	setup_install.exe	34
PID 612 wrote to memory of 560	612	setup_install.exe	34
PID 612 wrote to memory of 560	612	setup_install.exe	34
PID 612 wrote to memory of 904	612	setup_install.exe	35
PID 612 wrote to memory of 904	612	setup_install.exe	35
PID 612 wrote to memory of 904	612	setup_install.exe	35
PID 612 wrote to memory of 904	612	setup_install.exe	35
PID 612 wrote to memory of 904	612	setup_install.exe	35
PID 612 wrote to memory of 904	612	setup_install.exe	35
PID 612 wrote to memory of 904	612	setup_install.exe	35
PID 612 wrote to memory of 592	612	setup_install.exe	37
PID 612 wrote to memory of 592	612	setup_install.exe	37
PID 612 wrote to memory of 592	612	setup_install.exe	37
PID 612 wrote to memory of 592	612	setup_install.exe	37
PID 612 wrote to memory of 592	612	setup_install.exe	37
PID 612 wrote to memory of 592	612	setup_install.exe	37
PID 612 wrote to memory of 592	612	setup_install.exe	37
PID 612 wrote to memory of 1560	612	setup_install.exe	46
PID 612 wrote to memory of 1560	612	setup_install.exe	46
PID 612 wrote to memory of 1560	612	setup_install.exe	46
PID 612 wrote to memory of 1560	612	setup_install.exe	46
PID 612 wrote to memory of 1560	612	setup_install.exe	46
PID 612 wrote to memory of 1560	612	setup_install.exe	46
PID 612 wrote to memory of 1560	612	setup_install.exe	46
PID 1044 wrote to memory of 1864	1044	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (10).exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install - копия (10).exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1196
- - C:\Users\Admin\AppData\Local\Temp\7zSCA4C9954\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCA4C9954\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_1.exe
      4⤵
      PID:1340
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_2.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA4C9954\arnatic_2.exe
        
        arnatic_2.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_4.exe
      4⤵
      Loads dropped DLL
      PID:560
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA4C9954\arnatic_4.exe
        
        arnatic_4.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:748
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:1672
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_5.exe
      4⤵
      Loads dropped DLL
      PID:904
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA4C9954\arnatic_5.exe
        
        arnatic_5.exe
        5⤵
        Executes dropped EXE
        
        PID:1604
      - C:\Users\Admin\AppData\Roaming\8038703.exe
        
        "C:\Users\Admin\AppData\Roaming\8038703.exe"
        6⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2700 -s 1564
        7⤵
        Program crash
        
        PID:3136
      - C:\Users\Admin\AppData\Roaming\6989956.exe
        
        "C:\Users\Admin\AppData\Roaming\6989956.exe"
        6⤵
        
        PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_3.exe
      4⤵
      Loads dropped DLL
      PID:1216
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA4C9954\arnatic_3.exe
        
        arnatic_3.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_6.exe
      4⤵
      Loads dropped DLL
      PID:592
    - - C:\Users\Admin\AppData\Local\Temp\7zSCA4C9954\arnatic_6.exe
        
        arnatic_6.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1304
      - C:\Users\Admin\Documents\n5JlJK2WbNYqBaytfGrhLLuH.exe
        
        "C:\Users\Admin\Documents\n5JlJK2WbNYqBaytfGrhLLuH.exe"
        6⤵
        
        PID:2056
        
        C:\Program Files (x86)\Company\NewProduct\jingzhang.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"
        7⤵
        
        PID:2320
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        7⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2208 -s 292
        8⤵
        Program crash
        
        PID:2972
        
        C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        7⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:1956
        
        C:\Program Files (x86)\Company\NewProduct\file4.exe
        
        "C:\Program Files (x86)\Company\NewProduct\file4.exe"
        7⤵
        
        PID:2324
      - C:\Users\Admin\Documents\yAM0KH4N0vZkjPzwXyMRRtQ5.exe
        
        "C:\Users\Admin\Documents\yAM0KH4N0vZkjPzwXyMRRtQ5.exe"
        6⤵
        
        PID:1744
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --hold https://ezsearch.ru
        7⤵
        
        PID:2128
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6994f50,0x7fef6994f60,0x7fef6994f70
        8⤵
        
        PID:2264
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1208,13006148477837023545,619011299553369520,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1220 /prefetch:2
        8⤵
        
        PID:1660
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1208,13006148477837023545,619011299553369520,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1344 /prefetch:8
        8⤵
        
        PID:1728
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1208,13006148477837023545,619011299553369520,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 /prefetch:8
        8⤵
        
        PID:940
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1208,13006148477837023545,619011299553369520,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1608 /prefetch:2
        8⤵
        
        PID:648
      - C:\Users\Admin\Documents\UgQiqY2ksPp5YaepPlQf0dGd.exe
        
        "C:\Users\Admin\Documents\UgQiqY2ksPp5YaepPlQf0dGd.exe"
        6⤵
        
        PID:968
      - C:\Users\Admin\Documents\LJVFd63Ru8po9MpWI0rDQAce.exe
        
        "C:\Users\Admin\Documents\LJVFd63Ru8po9MpWI0rDQAce.exe"
        6⤵
        
        PID:2068
        
        C:\Users\Admin\Documents\LJVFd63Ru8po9MpWI0rDQAce.exe
        
        C:\Users\Admin\Documents\LJVFd63Ru8po9MpWI0rDQAce.exe
        7⤵
        
        PID:2408
      - C:\Users\Admin\Documents\FlRLlBNxlvi8sACLMz8oHFmC.exe
        
        "C:\Users\Admin\Documents\FlRLlBNxlvi8sACLMz8oHFmC.exe"
        6⤵
        
        PID:2144
      - C:\Users\Admin\Documents\PUhItonckYlT1aRnEUlOUlkr.exe
        
        "C:\Users\Admin\Documents\PUhItonckYlT1aRnEUlOUlkr.exe"
        6⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 952
        7⤵
        Program crash
        
        PID:3056
      - C:\Users\Admin\Documents\D4tc74IyRZGAl6gsPbWwA61h.exe
        
        "C:\Users\Admin\Documents\D4tc74IyRZGAl6gsPbWwA61h.exe"
        6⤵
        
        PID:2096
      - C:\Users\Admin\Documents\i4m_YYMLpBj55oL5hYpxUZ6M.exe
        
        "C:\Users\Admin\Documents\i4m_YYMLpBj55oL5hYpxUZ6M.exe"
        6⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2088 -s 956
        7⤵
        Program crash
        
        PID:1684
      - C:\Users\Admin\Documents\iv38u3vitO54MyqcnVi5ITMw.exe
        
        "C:\Users\Admin\Documents\iv38u3vitO54MyqcnVi5ITMw.exe"
        6⤵
        
        PID:2080
      - C:\Users\Admin\Documents\HciXxtUZs7W50HCnM3bnavOG.exe
        
        "C:\Users\Admin\Documents\HciXxtUZs7W50HCnM3bnavOG.exe"
        6⤵
        
        PID:2208
        
        C:\Users\Admin\Documents\HciXxtUZs7W50HCnM3bnavOG.exe
        
        C:\Users\Admin\Documents\HciXxtUZs7W50HCnM3bnavOG.exe
        7⤵
        
        PID:2396
      - C:\Users\Admin\Documents\KeCG06xYbamW7t6Brl6XYILu.exe
        
        "C:\Users\Admin\Documents\KeCG06xYbamW7t6Brl6XYILu.exe"
        6⤵
        
        PID:2200
      - C:\Users\Admin\Documents\gU0gqbr2b7xMrhHL8NdZ0wcM.exe
        
        "C:\Users\Admin\Documents\gU0gqbr2b7xMrhHL8NdZ0wcM.exe"
        6⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\rUNdlL32.eXe
        
        "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
        7⤵
        
        PID:1584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c arnatic_7.exe
      4⤵
      Loads dropped DLL
      PID:1560

C:\Users\Admin\AppData\Local\Temp\7zSCA4C9954\arnatic_7.exe
C:\Users\Admin\AppData\Local\Temp\7zSCA4C9954\arnatic_7.exe
1⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\7zSCA4C9954\arnatic_7.exe
arnatic_7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708

C:\Windows\SysWOW64\rUNdlL32.eXe
"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
1⤵
PID:648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:660

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
1⤵
PID:2688

C:\Users\Admin\AppData\Local\Temp\D1B1.exe
C:\Users\Admin\AppData\Local\Temp\D1B1.exe
1⤵
PID:688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-96-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/612-90-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/612-89-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/612-107-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/612-92-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/612-94-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/612-112-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/612-98-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/612-106-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/612-95-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/612-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/612-93-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/648-175-0x0000000002170000-0x0000000002271000-memory.dmp

Filesize
1.0MB

Download
memory/648-176-0x0000000000230000-0x000000000028D000-memory.dmp

Filesize
372KB

Download
memory/660-194-0x00000000030B0000-0x00000000031B6000-memory.dmp

Filesize
1.0MB

Download
memory/660-193-0x00000000002F0000-0x000000000030B000-memory.dmp

Filesize
108KB

Download
memory/660-185-0x0000000000270000-0x00000000002E1000-memory.dmp

Filesize
452KB

Download
memory/688-277-0x0000000000220000-0x000000000028B000-memory.dmp

Filesize
428KB

Download
memory/688-278-0x0000000000400000-0x0000000004420000-memory.dmp

Filesize
64.1MB

Download
memory/752-60-0x0000000076661000-0x0000000076663000-memory.dmp

Filesize
8KB

Download
memory/868-177-0x0000000000F80000-0x0000000000FCC000-memory.dmp

Filesize
304KB

Download
memory/868-178-0x00000000024F0000-0x0000000002561000-memory.dmp

Filesize
452KB

Download
memory/868-271-0x0000000001370000-0x00000000013E1000-memory.dmp

Filesize
452KB

Download
memory/868-270-0x00000000007F0000-0x000000000083C000-memory.dmp

Filesize
304KB

Download
memory/1244-190-0x0000000003B40000-0x0000000003B56000-memory.dmp

Filesize
88KB

Download
memory/1584-268-0x00000000021F0000-0x00000000022F1000-memory.dmp

Filesize
1.0MB

Download
memory/1584-269-0x00000000002D0000-0x000000000032D000-memory.dmp

Filesize
372KB

Download
memory/1604-279-0x000000001B0A0000-0x000000001B0A2000-memory.dmp

Filesize
8KB

Download
memory/1604-159-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1604-155-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1684-273-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/1708-160-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1864-187-0x0000000000260000-0x0000000000269000-memory.dmp

Filesize
36KB

Download
memory/1864-188-0x0000000000400000-0x00000000008F4000-memory.dmp

Filesize
5.0MB

Download
memory/2040-165-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2040-189-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2040-183-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2068-222-0x0000000001260000-0x0000000001261000-memory.dmp

Filesize
4KB

Download
memory/2068-217-0x00000000012E0000-0x00000000012E1000-memory.dmp

Filesize
4KB

Download
memory/2080-251-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/2088-223-0x0000000000250000-0x00000000002B4000-memory.dmp

Filesize
400KB

Download
memory/2088-235-0x0000000000400000-0x0000000004429000-memory.dmp

Filesize
64.2MB

Download
memory/2088-239-0x0000000004AB0000-0x0000000008AD9000-memory.dmp

Filesize
64.2MB

Download
memory/2108-240-0x0000000004AC0000-0x0000000008AEB000-memory.dmp

Filesize
64.2MB

Download
memory/2108-224-0x0000000004AC0000-0x0000000008AEB000-memory.dmp

Filesize
64.2MB

Download
memory/2108-234-0x0000000000400000-0x000000000442B000-memory.dmp

Filesize
64.2MB

Download
memory/2144-256-0x0000000000400000-0x00000000047F2000-memory.dmp

Filesize
67.9MB

Download
memory/2144-243-0x0000000004F30000-0x0000000009322000-memory.dmp

Filesize
67.9MB

Download
memory/2200-242-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2208-238-0x0000000004B00000-0x0000000004B01000-memory.dmp

Filesize
4KB

Download
memory/2208-220-0x0000000000870000-0x0000000000871000-memory.dmp

Filesize
4KB

Download
memory/2324-266-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/2324-272-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2396-267-0x0000000000E80000-0x0000000000E81000-memory.dmp

Filesize
4KB

Download
memory/2396-236-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2396-230-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2408-225-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2408-237-0x0000000001250000-0x0000000001251000-memory.dmp

Filesize
4KB

Download
memory/2408-228-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2700-282-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/3056-274-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads