redline | 2205e931fcca292889c4845eb2b0e961fc7b598c276b6abf71bb5cf6c59c1132

Target

8 (16).exe
Size

3.0MB
MD5

bb072cad921aa5ce8b97706ce01bc570
SHA1

18bf034906c1341b7817e7361ad27a4425d820bd
SHA256

817a50d00909383bbef41e6f4e61b527d55f0873bcf745b29dbba75f52fe2e97
SHA512

d40e5f77d882ed29bd9de5a6848072e2f81cd02176955e2b1a4aedcdf4eb687d77bebe33cef0c7d702bc828181755f86e2564523d476adbb785f396a5ce1d474

Score

10^/10

redline smokeloader socelars vidar 2_8_r 35k_select 921 933 ww aspackv2 backdoor infostealer persistence stealer suricata trojan upx vmprotect

Malware Config

Extracted

Family

vidar

Version

39.6

Botnet

933

https://sslamlssa1.tumblr.com/

Attributes

profile_id
933

Extracted

Family

redline

Botnet

35k_SELECT

45.14.49.117:14251

Extracted

Family

smokeloader

Version

2020

http://conceitosseg.com/upload/

http://integrasidata.com/upload/

http://ozentekstil.com/upload/

http://finbelportal.com/upload/

http://telanganadigital.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

2_8_r

zertypelil.xyz:80

Extracted

Family

redline

Botnet

193.56.146.60:51431

Extracted

Family

vidar

Version

39.9

Botnet

921

https://prophefliloc.tumblr.com/

Attributes

profile_id
921

Signatures

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3580	3584	rUNdlL32.eXe	14
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5468	3584	rundll32.exe	14

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

resource	yara_rule
behavioral16/files/0x0002000000015622-240.dat	family_redline
behavioral16/files/0x0002000000015622-256.dat	family_redline
behavioral16/memory/1416-340-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline
behavioral16/memory/1416-342-0x0000000000418E3E-mapping.dmp	family_redline
behavioral16/memory/4896-386-0x0000000004AF0000-0x0000000004B0B000-memory.dmp	family_redline
behavioral16/memory/4896-393-0x0000000004C40000-0x0000000004C5A000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral16/files/0x000100000001ab6c-241.dat	family_socelars
behavioral16/files/0x000100000001ab6c-239.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata

Nirsoft 1 IoCs

resource	yara_rule
behavioral16/memory/2288-368-0x0000000000400000-0x0000000000455000-memory.dmp	Nirsoft

Vidar Stealer 3 IoCs

stealer

resource	yara_rule
behavioral16/memory/372-184-0x0000000000980000-0x0000000000A2E000-memory.dmp	family_vidar
behavioral16/memory/372-192-0x0000000000400000-0x00000000008F2000-memory.dmp	family_vidar
behavioral16/memory/4692-419-0x000000000046B77D-mapping.dmp	family_vidar

ASPack v2.12-2.42 8 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral16/files/0x000100000001ab5a-118.dat	aspack_v212_v242
behavioral16/files/0x000100000001ab5a-119.dat	aspack_v212_v242
behavioral16/files/0x000100000001ab56-122.dat	aspack_v212_v242
behavioral16/files/0x000100000001ab55-123.dat	aspack_v212_v242
behavioral16/files/0x000100000001ab56-125.dat	aspack_v212_v242
behavioral16/files/0x000100000001ab55-124.dat	aspack_v212_v242
behavioral16/files/0x000100000001ab58-127.dat	aspack_v212_v242
behavioral16/files/0x000100000001ab58-130.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 10 IoCs

pid	Process
2764	setup_installer.exe
2920	setup_install.exe
3848	sonia_1.exe
372	sonia_3.exe
2320	sonia_2.exe
3856	sonia_4.exe
2168	sonia_6.exe
2444	sonia_5.exe
3988	svchost.exe
3024	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral16/files/0x000100000001ab63-171.dat	upx
behavioral16/files/0x000100000001ab63-170.dat	upx

VMProtect packed file 1 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral16/memory/3580-324-0x0000000000400000-0x000000000067D000-memory.dmp	vmprotect

Loads dropped DLL 6 IoCs

pid	Process
2920	setup_install.exe
2920	setup_install.exe
2920	setup_install.exe
2920	setup_install.exe
2920	setup_install.exe
2920	setup_install.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.exe"	sonia_6.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ipinfo.io
14	ip-api.com
15	ipinfo.io
135	ipinfo.io
142	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
2820	2920	WerFault.exe	77
4772	372	WerFault.exe	88
4176	5068	WerFault.exe	126
476	3400	WerFault.exe	118
4696	3400	WerFault.exe	118
3304	3400	WerFault.exe	118
5032	3400	WerFault.exe	118
5228	3400	WerFault.exe	118

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4652	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1096	taskkill.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	140	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	150	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe
2820	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3856	sonia_4.exe
Token: SeRestorePrivilege	2820	WerFault.exe
Token: SeBackupPrivilege	2820	WerFault.exe
Token: SeDebugPrivilege	2820	WerFault.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 2764	1808	8 (16).exe	76
PID 1808 wrote to memory of 2764	1808	8 (16).exe	76
PID 1808 wrote to memory of 2764	1808	8 (16).exe	76
PID 2764 wrote to memory of 2920	2764	setup_installer.exe	77
PID 2764 wrote to memory of 2920	2764	setup_installer.exe	77
PID 2764 wrote to memory of 2920	2764	setup_installer.exe	77
PID 2920 wrote to memory of 4012	2920	setup_install.exe	80
PID 2920 wrote to memory of 4012	2920	setup_install.exe	80
PID 2920 wrote to memory of 4012	2920	setup_install.exe	80
PID 2920 wrote to memory of 2040	2920	setup_install.exe	81
PID 2920 wrote to memory of 2040	2920	setup_install.exe	81
PID 2920 wrote to memory of 2040	2920	setup_install.exe	81
PID 2920 wrote to memory of 1508	2920	setup_install.exe	82
PID 2920 wrote to memory of 1508	2920	setup_install.exe	82
PID 2920 wrote to memory of 1508	2920	setup_install.exe	82
PID 2920 wrote to memory of 1972	2920	setup_install.exe	83
PID 2920 wrote to memory of 1972	2920	setup_install.exe	83
PID 2920 wrote to memory of 1972	2920	setup_install.exe	83
PID 2920 wrote to memory of 3744	2920	setup_install.exe	84
PID 2920 wrote to memory of 3744	2920	setup_install.exe	84
PID 2920 wrote to memory of 3744	2920	setup_install.exe	84
PID 2920 wrote to memory of 1324	2920	setup_install.exe	87
PID 2920 wrote to memory of 1324	2920	setup_install.exe	87
PID 2920 wrote to memory of 1324	2920	setup_install.exe	87
PID 2920 wrote to memory of 3956	2920	setup_install.exe	85
PID 2920 wrote to memory of 3956	2920	setup_install.exe	85
PID 2920 wrote to memory of 3956	2920	setup_install.exe	85
PID 4012 wrote to memory of 3848	4012	cmd.exe	86
PID 4012 wrote to memory of 3848	4012	cmd.exe	86
PID 4012 wrote to memory of 3848	4012	cmd.exe	86
PID 2040 wrote to memory of 2320	2040	cmd.exe	94
PID 2040 wrote to memory of 2320	2040	cmd.exe	94
PID 2040 wrote to memory of 2320	2040	cmd.exe	94
PID 1508 wrote to memory of 372	1508	cmd.exe	88
PID 1508 wrote to memory of 372	1508	cmd.exe	88
PID 1508 wrote to memory of 372	1508	cmd.exe	88
PID 1972 wrote to memory of 3856	1972	cmd.exe	93
PID 1972 wrote to memory of 3856	1972	cmd.exe	93
PID 1324 wrote to memory of 2168	1324	cmd.exe	92
PID 1324 wrote to memory of 2168	1324	cmd.exe	92
PID 1324 wrote to memory of 2168	1324	cmd.exe	92
PID 3744 wrote to memory of 2444	3744	cmd.exe	90
PID 3744 wrote to memory of 2444	3744	cmd.exe	90
PID 3744 wrote to memory of 2444	3744	cmd.exe	90
PID 3848 wrote to memory of 3988	3848	sonia_1.exe	100
PID 3848 wrote to memory of 3988	3848	sonia_1.exe	100
PID 3848 wrote to memory of 3988	3848	sonia_1.exe	100
PID 2168 wrote to memory of 3024	2168	sonia_6.exe	99
PID 2168 wrote to memory of 3024	2168	sonia_6.exe	99
PID 2168 wrote to memory of 3024	2168	sonia_6.exe	99

C:\Users\Admin\AppData\Local\Temp\8 (16).exe
"C:\Users\Admin\AppData\Local\Temp\8 (16).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Users\Admin\AppData\Local\Temp\7zSCCA96614\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCCA96614\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\7zSCCA96614\sonia_1.exe
        
        sonia_1.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3848
      - C:\Users\Admin\AppData\Local\Temp\7zSCCA96614\sonia_1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCCA96614\sonia_1.exe" -a
        6⤵
        
        PID:3988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\7zSCCA96614\sonia_2.exe
        
        sonia_2.exe
        5⤵
        Executes dropped EXE
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_3.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Users\Admin\AppData\Local\Temp\7zSCCA96614\sonia_3.exe
        
        sonia_3.exe
        5⤵
        Executes dropped EXE
        
        PID:372
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 372 -s 908
        6⤵
        Program crash
        
        PID:4772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_4.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Users\Admin\AppData\Local\Temp\7zSCCA96614\sonia_4.exe
        
        sonia_4.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_5.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\Users\Admin\AppData\Local\Temp\7zSCCA96614\sonia_5.exe
        
        sonia_5.exe
        5⤵
        Executes dropped EXE
        
        PID:2444
      - C:\Users\Admin\Documents\gHb4Pi3xDCIkukGVe2LS4ADd.exe
        
        "C:\Users\Admin\Documents\gHb4Pi3xDCIkukGVe2LS4ADd.exe"
        6⤵
        
        PID:4960
      - C:\Users\Admin\Documents\GXzDxx0g2RAqHsDiknKxmAju.exe
        
        "C:\Users\Admin\Documents\GXzDxx0g2RAqHsDiknKxmAju.exe"
        6⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe
        
        C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        7⤵
        
        PID:5284
      - C:\Users\Admin\Documents\NkdpR3AppGODPmdTOU35BLZG.exe
        
        "C:\Users\Admin\Documents\NkdpR3AppGODPmdTOU35BLZG.exe"
        6⤵
        
        PID:4904
        
        C:\Users\Admin\Documents\NkdpR3AppGODPmdTOU35BLZG.exe
        
        C:\Users\Admin\Documents\NkdpR3AppGODPmdTOU35BLZG.exe
        7⤵
        
        PID:4692
      - C:\Users\Admin\Documents\RwdV3lH2bu2azPmjpzE3MqqO.exe
        
        "C:\Users\Admin\Documents\RwdV3lH2bu2azPmjpzE3MqqO.exe"
        6⤵
        
        PID:4896
      - C:\Users\Admin\Documents\FYu9OQNrvZIu_LCqhCu8mASG.exe
        
        "C:\Users\Admin\Documents\FYu9OQNrvZIu_LCqhCu8mASG.exe"
        6⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        7⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        8⤵
        Kills process with taskkill
        
        PID:1096
      - C:\Users\Admin\Documents\AmlKA2jD9ogxuwzX0Vt72g0s.exe
        
        "C:\Users\Admin\Documents\AmlKA2jD9ogxuwzX0Vt72g0s.exe"
        6⤵
        
        PID:4868
      - C:\Users\Admin\Documents\mRXQoXJR0__t3lYHqUB67IkA.exe
        
        "C:\Users\Admin\Documents\mRXQoXJR0__t3lYHqUB67IkA.exe"
        6⤵
        
        PID:4860
        
        C:\Users\Admin\Documents\mRXQoXJR0__t3lYHqUB67IkA.exe
        
        C:\Users\Admin\Documents\mRXQoXJR0__t3lYHqUB67IkA.exe
        7⤵
        
        PID:1416
      - C:\Users\Admin\Documents\Cj3gAYqNR1KdLmhgQnlpz2PJ.exe
        
        "C:\Users\Admin\Documents\Cj3gAYqNR1KdLmhgQnlpz2PJ.exe"
        6⤵
        
        PID:5032
        
        C:\Users\Admin\Documents\Cj3gAYqNR1KdLmhgQnlpz2PJ.exe
        
        "C:\Users\Admin\Documents\Cj3gAYqNR1KdLmhgQnlpz2PJ.exe"
        7⤵
        
        PID:4544
      - C:\Users\Admin\Documents\5uDYZw6PDyfNarIiSU7yFyyM.exe
        
        "C:\Users\Admin\Documents\5uDYZw6PDyfNarIiSU7yFyyM.exe"
        6⤵
        
        PID:2192
      - C:\Users\Admin\Documents\HYMglxTLE1JlapC07saneOtS.exe
        
        "C:\Users\Admin\Documents\HYMglxTLE1JlapC07saneOtS.exe"
        6⤵
        
        PID:4596
      - C:\Users\Admin\Documents\hL2OqhnX1_JR2oQuRZkWvYDu.exe
        
        "C:\Users\Admin\Documents\hL2OqhnX1_JR2oQuRZkWvYDu.exe"
        6⤵
        
        PID:4652
        
        C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
        
        "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
        7⤵
        
        PID:3580
        
        C:\Program Files (x86)\Company\NewProduct\customer3.exe
        
        "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
        7⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
        8⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe
        
        C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:2344
        
        C:\Program Files (x86)\Company\NewProduct\jooyu.exe
        
        "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
        7⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        8⤵
        
        PID:4972
      - C:\Users\Admin\Documents\xDN4UfLE7gnWj1AfKv6DhfwT.exe
        
        "C:\Users\Admin\Documents\xDN4UfLE7gnWj1AfKv6DhfwT.exe"
        6⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 660
        7⤵
        Program crash
        
        PID:476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 676
        7⤵
        Program crash
        
        PID:4696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 728
        7⤵
        Program crash
        
        PID:3304
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 820
        7⤵
        Program crash
        
        PID:5032
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3400 -s 776
        7⤵
        Program crash
        
        PID:5228
      - C:\Users\Admin\Documents\T0wmbiv9YcZDqB47YRVQCle5.exe
        
        "C:\Users\Admin\Documents\T0wmbiv9YcZDqB47YRVQCle5.exe"
        6⤵
        
        PID:4884
        
        C:\Users\Admin\Documents\T0wmbiv9YcZDqB47YRVQCle5.exe
        
        "C:\Users\Admin\Documents\T0wmbiv9YcZDqB47YRVQCle5.exe" -a
        7⤵
        
        PID:4980
      - C:\Users\Admin\Documents\cWKnYc8aZ3CTO14c5F86nQyl.exe
        
        "C:\Users\Admin\Documents\cWKnYc8aZ3CTO14c5F86nQyl.exe"
        6⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c ipconfig /all
        7⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        8⤵
        Gathers network information
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c wmic cpu get deviceid, name, numberofcores, maxclockspeed
        7⤵
        
        PID:4860
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic cpu get deviceid, name, numberofcores, maxclockspeed
        8⤵
        
        PID:4220
      - C:\Users\Admin\Documents\7XKIdE8zxEki2su8fZlU9Gk0.exe
        
        "C:\Users\Admin\Documents\7XKIdE8zxEki2su8fZlU9Gk0.exe"
        6⤵
        
        PID:1792
      - C:\Users\Admin\Documents\IdptLSjw76EPXaOTaNfufLK_.exe
        
        "C:\Users\Admin\Documents\IdptLSjw76EPXaOTaNfufLK_.exe"
        6⤵
        
        PID:4968
      - C:\Users\Admin\Documents\9yjExVwDbDccU664v3zIK4Y2.exe
        
        "C:\Users\Admin\Documents\9yjExVwDbDccU664v3zIK4Y2.exe"
        6⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\is-SF52M.tmp\9yjExVwDbDccU664v3zIK4Y2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-SF52M.tmp\9yjExVwDbDccU664v3zIK4Y2.tmp" /SL5="$10274,138429,56832,C:\Users\Admin\Documents\9yjExVwDbDccU664v3zIK4Y2.exe"
        7⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\is-DOLNP.tmp\Setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-DOLNP.tmp\Setup.exe" /Verysilent
        8⤵
        
        PID:2240
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
        9⤵
        
        PID:2780
        
        C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
        9⤵
        
        PID:2488
        
        C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
        10⤵
        
        PID:5396
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
        9⤵
        
        PID:3716
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
        9⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Roaming\5718722.exe
        
        "C:\Users\Admin\AppData\Roaming\5718722.exe"
        10⤵
        
        PID:5680
        
        C:\Users\Admin\AppData\Roaming\3572340.exe
        
        "C:\Users\Admin\AppData\Roaming\3572340.exe"
        10⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Roaming\8144037.exe
        
        "C:\Users\Admin\AppData\Roaming\8144037.exe"
        10⤵
        
        PID:5716
        
        C:\Users\Admin\AppData\Roaming\5858501.exe
        
        "C:\Users\Admin\AppData\Roaming\5858501.exe"
        10⤵
        
        PID:5804
        
        C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
        
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
        9⤵
        
        PID:2576
      - C:\Users\Admin\Documents\RplkU3lkwbElJUqyTyQKQk4w.exe
        
        "C:\Users\Admin\Documents\RplkU3lkwbElJUqyTyQKQk4w.exe"
        6⤵
        
        PID:5000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_7.exe
      4⤵
      PID:3956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sonia_6.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1324
    - - C:\Users\Admin\AppData\Local\Temp\7zSCCA96614\sonia_6.exe
        
        sonia_6.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2168
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:3024
      - C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
        
        C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
        6⤵
        
        PID:2368
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 464
      4⤵
      Program crash
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2820

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
PID:3580
- C:\Windows\SysWOW64\rundll32.exe
  rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
  2⤵
  - Executes dropped EXE
  PID:3024

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:5068
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 5068 -s 76
  2⤵
  - Program crash
  PID:4176

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:5468
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:5496

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/372-192-0x0000000000400000-0x00000000008F2000-memory.dmp

Filesize
4.9MB

Download
memory/372-184-0x0000000000980000-0x0000000000A2E000-memory.dmp

Filesize
696KB

Download
memory/680-322-0x000001C8EAA00000-0x000001C8EAA74000-memory.dmp

Filesize
464KB

Download
memory/680-296-0x000001C8EA690000-0x000001C8EA6DE000-memory.dmp

Filesize
312KB

Download
memory/860-221-0x0000017788C20000-0x0000017788C91000-memory.dmp

Filesize
452KB

Download
memory/992-189-0x000001C36E820000-0x000001C36E891000-memory.dmp

Filesize
452KB

Download
memory/1072-220-0x000001DBA6640000-0x000001DBA66B1000-memory.dmp

Filesize
452KB

Download
memory/1172-224-0x000002A9DED60000-0x000002A9DEDD1000-memory.dmp

Filesize
452KB

Download
memory/1360-225-0x0000023B72C60000-0x0000023B72CD1000-memory.dmp

Filesize
452KB

Download
memory/1392-222-0x000001BF8C1A0000-0x000001BF8C211000-memory.dmp

Filesize
452KB

Download
memory/1416-340-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1416-358-0x0000000005090000-0x0000000005696000-memory.dmp

Filesize
6.0MB

Download
memory/1792-334-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/1792-329-0x0000000004F80000-0x0000000004F82000-memory.dmp

Filesize
8KB

Download
memory/1792-319-0x0000000004FD0000-0x0000000004FD1000-memory.dmp

Filesize
4KB

Download
memory/1792-305-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1860-223-0x000001F45DFA0000-0x000001F45E011000-memory.dmp

Filesize
452KB

Download
memory/2176-308-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2192-302-0x00000000057E0000-0x0000000005CDE000-memory.dmp

Filesize
5.0MB

Download
memory/2192-281-0x0000000000DA0000-0x0000000000DA1000-memory.dmp

Filesize
4KB

Download
memory/2288-368-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2320-190-0x0000000000400000-0x0000000000896000-memory.dmp

Filesize
4.6MB

Download
memory/2320-187-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/2408-200-0x000002AEDE870000-0x000002AEDE8E1000-memory.dmp

Filesize
452KB

Download
memory/2436-195-0x000001B0B5580000-0x000001B0B55F1000-memory.dmp

Filesize
452KB

Download
memory/2700-226-0x00000239B3740000-0x00000239B37B1000-memory.dmp

Filesize
452KB

Download
memory/2720-227-0x0000017D1F080000-0x0000017D1F0F1000-memory.dmp

Filesize
452KB

Download
memory/2740-203-0x000002115CE00000-0x000002115CE71000-memory.dmp

Filesize
452KB

Download
memory/2920-132-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2920-151-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2920-131-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2920-152-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2920-150-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2920-133-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2920-134-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2920-148-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/3016-260-0x0000000001290000-0x00000000012A5000-memory.dmp

Filesize
84KB

Download
memory/3024-194-0x0000000000DFB000-0x0000000000EFC000-memory.dmp

Filesize
1.0MB

Download
memory/3024-196-0x0000000000F00000-0x0000000000F5D000-memory.dmp

Filesize
372KB

Download
memory/3400-371-0x00000000009F0000-0x0000000000B3A000-memory.dmp

Filesize
1.3MB

Download
memory/3580-324-0x0000000000400000-0x000000000067D000-memory.dmp

Filesize
2.5MB

Download
memory/3856-168-0x0000000001260000-0x0000000001262000-memory.dmp

Filesize
8KB

Download
memory/3856-162-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/3988-188-0x00000152058D0000-0x0000015205941000-memory.dmp

Filesize
452KB

Download
memory/4028-201-0x0000014BCE620000-0x0000014BCE691000-memory.dmp

Filesize
452KB

Download
memory/4028-199-0x0000014BCE560000-0x0000014BCE5AC000-memory.dmp

Filesize
304KB

Download
memory/4532-326-0x0000000003920000-0x000000000395C000-memory.dmp

Filesize
240KB

Download
memory/4532-357-0x00000000050E0000-0x00000000050E1000-memory.dmp

Filesize
4KB

Download
memory/4532-362-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/4532-361-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/4532-360-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/4532-356-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/4532-355-0x00000000050C0000-0x00000000050C1000-memory.dmp

Filesize
4KB

Download
memory/4532-354-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/4532-349-0x0000000005090000-0x0000000005091000-memory.dmp

Filesize
4KB

Download
memory/4532-351-0x00000000050A0000-0x00000000050A1000-memory.dmp

Filesize
4KB

Download
memory/4532-339-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/4532-341-0x0000000005050000-0x0000000005051000-memory.dmp

Filesize
4KB

Download
memory/4532-347-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4532-345-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/4532-343-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/4532-336-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/4532-335-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/4532-327-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4532-333-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/4532-331-0x0000000005000000-0x0000000005001000-memory.dmp

Filesize
4KB

Download
memory/4544-374-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4716-365-0x000002DD73450000-0x000002DD7351F000-memory.dmp

Filesize
828KB

Download
memory/4716-363-0x000002DD733E0000-0x000002DD7344E000-memory.dmp

Filesize
440KB

Download
memory/4824-413-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/4824-408-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/4860-291-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/4860-292-0x0000000002460000-0x00000000024D6000-memory.dmp

Filesize
472KB

Download
memory/4860-259-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/4860-275-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/4868-280-0x0000000005620000-0x0000000005621000-memory.dmp

Filesize
4KB

Download
memory/4868-316-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/4868-284-0x0000000005680000-0x0000000005681000-memory.dmp

Filesize
4KB

Download
memory/4868-314-0x00000000055A0000-0x0000000005BA6000-memory.dmp

Filesize
6.0MB

Download
memory/4868-389-0x00000000072A0000-0x00000000072A1000-memory.dmp

Filesize
4KB

Download
memory/4868-387-0x0000000006BA0000-0x0000000006BA1000-memory.dmp

Filesize
4KB

Download
memory/4868-274-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/4868-403-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/4868-257-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/4868-330-0x00000000061C0000-0x00000000061C1000-memory.dmp

Filesize
4KB

Download
memory/4896-386-0x0000000004AF0000-0x0000000004B0B000-memory.dmp

Filesize
108KB

Download
memory/4896-393-0x0000000004C40000-0x0000000004C5A000-memory.dmp

Filesize
104KB

Download
memory/4904-271-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/4904-282-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4904-294-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download
memory/4904-307-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/4904-277-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/4904-254-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/4952-328-0x0000000002DA0000-0x0000000002E71000-memory.dmp

Filesize
836KB

Download
memory/4952-325-0x0000000002D30000-0x0000000002D9F000-memory.dmp

Filesize
444KB

Download
memory/4968-321-0x00000000008B0000-0x00000000008C2000-memory.dmp

Filesize
72KB

Download
memory/4968-300-0x0000000000430000-0x00000000004DE000-memory.dmp

Filesize
696KB

Download
memory/5068-317-0x0000018534870000-0x00000185348E4000-memory.dmp

Filesize
464KB

Download