Resubmissions
13/08/2021, 10:16
210813-wpta271jdx 1008/08/2021, 23:00
210808-fgs5g9pxfs 1007/08/2021, 23:12
210807-g2jw1lmd4a 1007/08/2021, 16:10
210807-51nhct4kfx 1006/08/2021, 23:43
210806-gc2271nxwj 1006/08/2021, 06:00
210806-f443x39x8a 1005/08/2021, 17:08
210805-97y6banvvx 1004/08/2021, 17:25
210804-hkxx2ntr8x 1004/08/2021, 12:12
210804-rjbg4b4y7n 1003/08/2021, 17:12
210803-r2h7ytjwqj 10Analysis
-
max time kernel
51s -
max time network
1856s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
29/07/2021, 11:26
General
-
Target
8 (21).exe
-
Size
3.0MB
-
MD5
bb072cad921aa5ce8b97706ce01bc570
-
SHA1
18bf034906c1341b7817e7361ad27a4425d820bd
-
SHA256
817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97
-
SHA512
d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474
Score
10/10
Malware Config
Extracted
Family
vidar
Version
39.6
Botnet
933
C2
https://sslamlssa1.tumblr.com/
Attributes
-
profile_id
933
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE GCleaner Downloader Activity M1
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Win32/Kelihos.F exe Download 2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Nirsoft 1 IoCs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 18 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 22 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
VMProtect packed file 2 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 64 IoCs
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 5 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8 (21).exe"C:\Users\Admin\AppData\Local\Temp\8 (21).exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0530D795\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_1.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_1.exesonia_1.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_1.exe"C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_1.exe" -a6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_2.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_2.exesonia_2.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_3.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_3.exesonia_3.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1640 -s 10006⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_4.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_4.exesonia_4.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_5.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_5.exesonia_5.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Documents\KZvqShJ9r4xiJVc_UVFdJBCR.exe"C:\Users\Admin\Documents\KZvqShJ9r4xiJVc_UVFdJBCR.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Documents\KZvqShJ9r4xiJVc_UVFdJBCR.exe"C:\Users\Admin\Documents\KZvqShJ9r4xiJVc_UVFdJBCR.exe"7⤵
-
-
-
C:\Users\Admin\Documents\6Ltht0BzS_gXI3ibSS0IsFLf.exe"C:\Users\Admin\Documents\6Ltht0BzS_gXI3ibSS0IsFLf.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\XN2GoTLmPPzxVHpCFMGc0LPu.exe"C:\Users\Admin\Documents\XN2GoTLmPPzxVHpCFMGc0LPu.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Documents\FY8_BpN95wpRcYqnjEcI0dLT.exe"C:\Users\Admin\Documents\FY8_BpN95wpRcYqnjEcI0dLT.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"7⤵
-
-
-
C:\Users\Admin\Documents\LrDJtjZxoUhrCgBPKoA3j1Ve.exe"C:\Users\Admin\Documents\LrDJtjZxoUhrCgBPKoA3j1Ve.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\LrDJtjZxoUhrCgBPKoA3j1Ve.exeC:\Users\Admin\Documents\LrDJtjZxoUhrCgBPKoA3j1Ve.exe7⤵
-
-
-
C:\Users\Admin\Documents\tT3zRPobCkhQwzkaTalybj9u.exe"C:\Users\Admin\Documents\tT3zRPobCkhQwzkaTalybj9u.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\fWdKz3EuYHJn48bJrSL8nFVb.exe"C:\Users\Admin\Documents\fWdKz3EuYHJn48bJrSL8nFVb.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Public\run.exeC:\Users\Public\run.exe7⤵
-
C:\Users\Public\run.exeC:\Users\Public\run.exe8⤵
-
-
-
-
C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe"C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe"C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe"7⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"9⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.0.1587411387\95208403" -parentBuildID 20200403170909 -prefsHandle 1132 -prefMapHandle 1068 -prefsLen 1 -prefMapSize 218938 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 1216 gpu10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.3.264911914\465962297" -childID 1 -isForBrowser -prefsHandle 4272 -prefMapHandle 4268 -prefsLen 156 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 4284 tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.13.1297685243\734563361" -childID 2 -isForBrowser -prefsHandle 2604 -prefMapHandle 2592 -prefsLen 7588 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 3288 tab10⤵
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2448.20.862995282\1228269900" -childID 3 -isForBrowser -prefsHandle 2388 -prefMapHandle 2356 -prefsLen 8981 -prefMapSize 218938 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2448 "\\.\pipe\gecko-crash-server-pipe.2448" 2560 tab10⤵
-
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"8⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef19e4f50,0x7fef19e4f60,0x7fef19e4f709⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,8747893937291852942,7452543449508468204,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1060 /prefetch:29⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1048,8747893937291852942,7452543449508468204,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1440 /prefetch:89⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1048,8747893937291852942,7452543449508468204,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 /prefetch:89⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,8747893937291852942,7452543449508468204,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1820 /prefetch:19⤵
-
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings9⤵
-
C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x13c,0x140,0x144,0x110,0x148,0x13fc0a890,0x13fc0a8a0,0x13fc0a8b010⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 2976 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 29769⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C taskkill /F /PID 2976 && choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\Documents\EXgOyzYGTmbrN6E1RUlwawJR.exe"8⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F /PID 29769⤵
- Loads dropped DLL
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Documents\dDBJ8YwgEJDByPJuNMNmre8Q.exe"C:\Users\Admin\Documents\dDBJ8YwgEJDByPJuNMNmre8Q.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Documents\p9lbRFUuZxPe4_3PMNzzwxv7.exe"C:\Users\Admin\Documents\p9lbRFUuZxPe4_3PMNzzwxv7.exe"6⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\11111.exeC:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\22222.exeC:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"8⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 2768⤵
- Program crash
-
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt8⤵
-
-
-
-
C:\Users\Admin\Documents\XaS9QUUrhNj21ykaBuCx53yR.exe"C:\Users\Admin\Documents\XaS9QUUrhNj21ykaBuCx53yR.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "XaS9QUUrhNj21ykaBuCx53yR.exe" /f & erase "C:\Users\Admin\Documents\XaS9QUUrhNj21ykaBuCx53yR.exe" & exit7⤵
-
-
-
C:\Users\Admin\Documents\4OpcfTducy9hrCU6bSiXKPfo.exe"C:\Users\Admin\Documents\4OpcfTducy9hrCU6bSiXKPfo.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2204 -s 9687⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\VHPnnt3DYjtIKlU8mLwO7AHY.exe"C:\Users\Admin\Documents\VHPnnt3DYjtIKlU8mLwO7AHY.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\VHPnnt3DYjtIKlU8mLwO7AHY.exeC:\Users\Admin\Documents\VHPnnt3DYjtIKlU8mLwO7AHY.exe7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_6.exe4⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0530D795\sonia_6.exesonia_6.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_7.exe4⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 316 -s 4124⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\rUNdlL32.eXerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Users\Admin\AppData\Local\Temp\4A78.exeC:\Users\Admin\AppData\Local\Temp\4A78.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\8BEC.exeC:\Users\Admin\AppData\Local\Temp\8BEC.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im 8BEC.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\8BEC.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im 8BEC.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {E49F9313-260A-4D92-98A3-4BF1AF38854A} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\vvbuuvfC:\Users\Admin\AppData\Roaming\vvbuuvf2⤵
-
C:\Users\Admin\AppData\Roaming\vvbuuvfC:\Users\Admin\AppData\Roaming\vvbuuvf3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\6B43.exeC:\Users\Admin\AppData\Local\Temp\6B43.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\A602.exeC:\Users\Admin\AppData\Local\Temp\A602.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\BFF9.exeC:\Users\Admin\AppData\Local\Temp\BFF9.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\DB28.exeC:\Users\Admin\AppData\Local\Temp\DB28.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\EF83.exeC:\Users\Admin\AppData\Local\Temp\EF83.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\5C89.exeC:\Users\Admin\AppData\Local\Temp\5C89.exe1⤵
-
C:\Windows\system32\cmd.execmd /c start c.exe & start l.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\l.exel.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.exec.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Parlasse.wmv4⤵
-
C:\Windows\SysWOW64\cmd.execmd5⤵
-
-
-
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^hqVLSBiFVkisDvgANWfHkkgqnFPqUPdvHQlUgqiIGEuNwqJAbhcZzXvwMVhhLiKuVLKNjzkNOHwGyBYbVfCGzdrKzoozMTXmTqRddWgreIkLVQWlWPacEtMEHZxtk$" Ove.wmv1⤵
-
C:\Windows\SysWOW64\PING.EXEping QWOCTUPM -n 301⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.comPuramente.exe.com m1⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.com m2⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.com m3⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Puramente.exe.com m4⤵
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7DB0.exeC:\Users\Admin\AppData\Local\Temp\7DB0.exe1⤵
-
C:\Windows\system32\cmd.execmd /c start c.exe & start l.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\l.exel.exe3⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\c.exec.exe3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Parlasse.wmv4⤵
-
C:\Windows\SysWOW64\cmd.execmd5⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^hqVLSBiFVkisDvgANWfHkkgqnFPqUPdvHQlUgqiIGEuNwqJAbhcZzXvwMVhhLiKuVLKNjzkNOHwGyBYbVfCGzdrKzoozMTXmTqRddWgreIkLVQWlWPacEtMEHZxtk$" Ove.wmv6⤵
-
-
C:\Windows\SysWOW64\PING.EXEping QWOCTUPM -n 306⤵
- Runs ping.exe
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Puramente.exe.comPuramente.exe.com m6⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Puramente.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Puramente.exe.com m7⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exeC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\RegAsm.exe8⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {BCA11F77-3BA9-461F-B745-51375D17818C} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Roaming\vvbuuvfC:\Users\Admin\AppData\Roaming\vvbuuvf2⤵
-
C:\Users\Admin\AppData\Roaming\vvbuuvfC:\Users\Admin\AppData\Roaming\vvbuuvf3⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\BB9B.exeC:\Users\Admin\AppData\Local\Temp\BB9B.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\DC07.exeC:\Users\Admin\AppData\Local\Temp\DC07.exe1⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im DC07.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\DC07.exe" & del C:\ProgramData\*.dll & exit2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im DC07.exe /f3⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
100KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4.9MB
-
Filesize
628KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
836KB
-
Filesize
8KB
-
Filesize
448KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
416KB
-
Filesize
46.6MB
-
Filesize
384KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.3MB
-
Filesize
2.3MB
-
Filesize
512KB
-
Filesize
340KB
-
Filesize
36KB