Overview

overview

10

Static

static

EB72339228...47.exe

windows7_x64

10

EB72339228...47.exe

windows11_x64

10

EB72339228...47.exe

windows10_x64

Resubmissions

19-08-2021 18:59

210819-yrzbdtvqln 10

18-08-2021 20:25

210818-4hztrzavcs 10

18-08-2021 17:24

210818-9p8lqjhwv2 10

17-08-2021 06:12

210817-kl4jvaaq7x 10

16-08-2021 10:04

210816-nwc3tqkr3a 10

16-08-2021 10:04

210816-5r5rafnh7e 10

16-08-2021 10:04

210816-kdgh648t5e 10

16-08-2021 09:37

210816-9esgfwsmfe 10

16-08-2021 08:13

210816-26la9rblgn 10

17-08-2021 08:51

210817-w2l5yq2wln

Analysis

  • max time kernel
    1801s
  • max time network
    1835s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    16-08-2021 09:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EB7233922891E1DAD0434FBD52623647.exe

  • Size

    7.9MB

  • MD5

    eb7233922891e1dad0434fbd52623647

  • SHA1

    331126b108532ab9a1e932141bff55a38656bce9

  • SHA256

    b39e29c24003441609c457a3455cae9d9fb6f4462f5e06d0c1d317d243711cb8

  • SHA512

    597fbb0f397c45c8a2c5f63893c6d6bd4641e952510dfcac05dadb7afaaf4e005df1261649d4e79951979bad0be1fb09feebac7a6d23c31679590cbf40e1d4ac

Score
10/10
gluptebametasploitredlineinstall2backdoordiscoverydropperevasioninfostealerloadersuricatathemidatrojanvmprotect

Malware Config

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

redline

Botnet

install2

C2

65.21.103.71:56458

Signatures

  • Glupteba

    Glupteba is a modular loader written in Golang with various components.

    loaderdropperglupteba
  • Glupteba Payload 2 IoCs
  • MetaSploit

    Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.

    trojanbackdoormetasploit
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
  • evasion 6 IoCs

    evasion.

    evasion
  • suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious

    suricata
  • suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    suricata: ET MALWARE Generic Password Stealer User Agent Detected (RookIE)

    suricata
  • suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata: ET MALWARE Potential Dridex.Maldoc Minimal Executable Request

    suricata
  • suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile

    suricata
  • Nirsoft 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 43 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 64 IoCs
  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 5 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Drops file in Program Files directory 5 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 12 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 35 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 20 IoCs
  • Modifies system certificate store 2 TTPs 14 IoCs
    evasionspywaretrojan
  • NTFS ADS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:468
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Windows\system32\taskeng.exe
          taskeng.exe {4F364BDF-E09F-4A32-AB42-29C41D1DB1A5} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
          3⤵
            PID:2448
            • C:\Users\Admin\AppData\Roaming\tsjtaae
              C:\Users\Admin\AppData\Roaming\tsjtaae
              4⤵
              • Executes dropped EXE
              • Checks SCSI registry key(s)
              • Suspicious behavior: MapViewOfSection
              PID:2720
          • C:\Windows\system32\taskeng.exe
            taskeng.exe {CD5B09CB-6D8E-4C01-8FA5-38618A794C5D} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
            3⤵
              PID:2924
              • C:\Users\Admin\AppData\Roaming\tsjtaae
                C:\Users\Admin\AppData\Roaming\tsjtaae
                4⤵
                • Executes dropped EXE
                • Checks SCSI registry key(s)
                • Suspicious behavior: MapViewOfSection
                PID:2056
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {AFD2EE77-A49C-47D3-ABA2-4C274396697F} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
              3⤵
                PID:2416
                • C:\Users\Admin\AppData\Roaming\tsjtaae
                  C:\Users\Admin\AppData\Roaming\tsjtaae
                  4⤵
                  • Executes dropped EXE
                  • Checks SCSI registry key(s)
                  • Suspicious behavior: MapViewOfSection
                  PID:1548
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k SystemNetworkService
              2⤵
              • Checks processor information in registry
              • Modifies registry class
              PID:1596
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k SystemNetworkService
              2⤵
              • Drops file in System32 directory
              • Checks processor information in registry
              • Modifies data under HKEY_USERS
              • Modifies registry class
              PID:848
          • C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe
            "C:\Users\Admin\AppData\Local\Temp\EB7233922891E1DAD0434FBD52623647.exe"
            1⤵
            • Loads dropped DLL
            • Checks whether UAC is enabled
            • Suspicious use of WriteProcessMemory
            PID:1972
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KRSetp.exe"
              2⤵
              • Executes dropped EXE
              • Modifies system certificate store
              • Suspicious use of AdjustPrivilegeToken
              PID:1952
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe"
              2⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2044
              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Folder.exe" -a
                3⤵
                • Executes dropped EXE
                PID:1552
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"
              2⤵
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              PID:524
              • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe
                "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Info.exe"
                3⤵
                • Executes dropped EXE
                • Modifies data under HKEY_USERS
                • Modifies system certificate store
                PID:1608
            • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe
              "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installation.exe"
              2⤵
              • Executes dropped EXE
              • Checks computer location settings
              • Loads dropped DLL
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:464
              • C:\Users\Admin\Documents\4zT3wkiCtbyjvD8xBkbF9GD5.exe
                "C:\Users\Admin\Documents\4zT3wkiCtbyjvD8xBkbF9GD5.exe"
                3⤵
                • Executes dropped EXE
                PID:2136
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{oyZM-yYmUF-WNV1-f4sSg}\97096201599.exe"
                  4⤵
                  • Loads dropped DLL
                  PID:2932
                  • C:\Users\Admin\AppData\Local\Temp\{oyZM-yYmUF-WNV1-f4sSg}\97096201599.exe
                    "C:\Users\Admin\AppData\Local\Temp\{oyZM-yYmUF-WNV1-f4sSg}\97096201599.exe"
                    5⤵
                    • Executes dropped EXE
                    PID:1148
                • C:\Windows\SysWOW64\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{oyZM-yYmUF-WNV1-f4sSg}\63907631724.exe" /mix
                  4⤵
                  • Loads dropped DLL
                  PID:3056
                  • C:\Users\Admin\AppData\Local\Temp\{oyZM-yYmUF-WNV1-f4sSg}\63907631724.exe
                    "C:\Users\Admin\AppData\Local\Temp\{oyZM-yYmUF-WNV1-f4sSg}\63907631724.exe" /mix
                    5⤵
                      PID:2308
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\System32\cmd.exe" /c taskkill /im "4zT3wkiCtbyjvD8xBkbF9GD5.exe" /f & erase "C:\Users\Admin\Documents\4zT3wkiCtbyjvD8xBkbF9GD5.exe" & exit
                    4⤵
                      PID:2180
                      • C:\Windows\SysWOW64\taskkill.exe
                        taskkill /im "4zT3wkiCtbyjvD8xBkbF9GD5.exe" /f
                        5⤵
                        • Kills process with taskkill
                        PID:2424
                  • C:\Users\Admin\Documents\5SZmByoctiZ2CsguEZ8gjjq2.exe
                    "C:\Users\Admin\Documents\5SZmByoctiZ2CsguEZ8gjjq2.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:2124
                  • C:\Users\Admin\Documents\EmGERzrv77JqsdC5VtfNUT1G.exe
                    "C:\Users\Admin\Documents\EmGERzrv77JqsdC5VtfNUT1G.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:2192
                  • C:\Users\Admin\Documents\By2ko3q00D7au_43E24GqZmx.exe
                    "C:\Users\Admin\Documents\By2ko3q00D7au_43E24GqZmx.exe"
                    3⤵
                    • Executes dropped EXE
                    PID:2172
                  • C:\Users\Admin\Documents\JeQPnCqDAitLP_BWJkFuqIh7.exe
                    "C:\Users\Admin\Documents\JeQPnCqDAitLP_BWJkFuqIh7.exe"
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    PID:2248
                    • C:\Users\Admin\Documents\JeQPnCqDAitLP_BWJkFuqIh7.exe
                      "C:\Users\Admin\Documents\JeQPnCqDAitLP_BWJkFuqIh7.exe"
                      4⤵
                        PID:2556
                    • C:\Users\Admin\Documents\wvN8vAaqMpfyggxUk3k2Qyw2.exe
                      "C:\Users\Admin\Documents\wvN8vAaqMpfyggxUk3k2Qyw2.exe"
                      3⤵
                      • Executes dropped EXE
                      PID:2236
                    • C:\Users\Admin\Documents\ML8PL7sJGvU_7mXXq4nYgRHk.exe
                      "C:\Users\Admin\Documents\ML8PL7sJGvU_7mXXq4nYgRHk.exe"
                      3⤵
                        PID:2352
                      • C:\Users\Admin\Documents\5YAXg5lECwdUd8IonxSjL9Ig.exe
                        "C:\Users\Admin\Documents\5YAXg5lECwdUd8IonxSjL9Ig.exe"
                        3⤵
                          PID:2336
                        • C:\Users\Admin\Documents\ZsiOWWcfvlBRc03DyI7KrBCy.exe
                          "C:\Users\Admin\Documents\ZsiOWWcfvlBRc03DyI7KrBCy.exe"
                          3⤵
                          • Executes dropped EXE
                          • Checks SCSI registry key(s)
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious behavior: MapViewOfSection
                          PID:2316
                        • C:\Users\Admin\Documents\FNoEhxC68EZpKYp0_emrzU1_.exe
                          "C:\Users\Admin\Documents\FNoEhxC68EZpKYp0_emrzU1_.exe"
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:2296
                          • C:\Users\Admin\Documents\FNoEhxC68EZpKYp0_emrzU1_.exe
                            "C:\Users\Admin\Documents\FNoEhxC68EZpKYp0_emrzU1_.exe"
                            4⤵
                              PID:2564
                          • C:\Users\Admin\Documents\apQjvCyfF19z8cwMW5P3g0jE.exe
                            "C:\Users\Admin\Documents\apQjvCyfF19z8cwMW5P3g0jE.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2280
                          • C:\Users\Admin\Documents\5coTaD6VnXWuauxRC95l4H3b.exe
                            "C:\Users\Admin\Documents\5coTaD6VnXWuauxRC95l4H3b.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2400
                            • C:\Users\Admin\Documents\5coTaD6VnXWuauxRC95l4H3b.exe
                              "C:\Users\Admin\Documents\5coTaD6VnXWuauxRC95l4H3b.exe"
                              4⤵
                              • Executes dropped EXE
                              • Modifies data under HKEY_USERS
                              PID:2956
                          • C:\Users\Admin\Documents\Co8vKJvz92ZszKV7wdisYj7E.exe
                            "C:\Users\Admin\Documents\Co8vKJvz92ZszKV7wdisYj7E.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2384
                          • C:\Users\Admin\Documents\VhwXzacK8G7yDNwxnEZXeMdx.exe
                            "C:\Users\Admin\Documents\VhwXzacK8G7yDNwxnEZXeMdx.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2452
                          • C:\Users\Admin\Documents\umJENhSHlChm1lpvdnfRfnBU.exe
                            "C:\Users\Admin\Documents\umJENhSHlChm1lpvdnfRfnBU.exe"
                            3⤵
                            • Executes dropped EXE
                            PID:2620
                            • C:\Users\Admin\AppData\Roaming\6887239.exe
                              "C:\Users\Admin\AppData\Roaming\6887239.exe"
                              4⤵
                                PID:2132
                            • C:\Users\Admin\Documents\xMw212oTt6cjKdikeX4TOLnK.exe
                              "C:\Users\Admin\Documents\xMw212oTt6cjKdikeX4TOLnK.exe"
                              3⤵
                              • Executes dropped EXE
                              PID:2608
                            • C:\Users\Admin\Documents\u7koBs7KRU1c8Wa6jVKvu1Oa.exe
                              "C:\Users\Admin\Documents\u7koBs7KRU1c8Wa6jVKvu1Oa.exe"
                              3⤵
                              • Executes dropped EXE
                              PID:2596
                            • C:\Users\Admin\Documents\FesOUPV44sVL8oIWprBMeadi.exe
                              "C:\Users\Admin\Documents\FesOUPV44sVL8oIWprBMeadi.exe"
                              3⤵
                              • Executes dropped EXE
                              PID:2532
                            • C:\Users\Admin\Documents\tUsNqot2ERev4IO3_JemYQDX.exe
                              "C:\Users\Admin\Documents\tUsNqot2ERev4IO3_JemYQDX.exe"
                              3⤵
                              • Executes dropped EXE
                              • Loads dropped DLL
                              • Drops file in Program Files directory
                              PID:2520
                              • C:\Program Files (x86)\Company\NewProduct\customer3.exe
                                "C:\Program Files (x86)\Company\NewProduct\customer3.exe"
                                4⤵
                                • Executes dropped EXE
                                • Modifies system certificate store
                                PID:2616
                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2036
                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /DeleteCookiesWildcard "*.facebook.com"
                                  5⤵
                                  • Executes dropped EXE
                                  PID:1960
                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  PID:1760
                                • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                  C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Profile 2\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2492
                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  PID:1704
                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2196
                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2400
                                • C:\Users\Admin\AppData\Local\Temp\22222.exe
                                  C:\Users\Admin\AppData\Local\Temp\22222.exe /CookiesFile "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Profile 1\Cookies" /DeleteCookiesWildcard "*.facebook.com"
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2984
                              • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                                "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                                4⤵
                                • Executes dropped EXE
                                PID:2688
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 184
                                  5⤵
                                  • Loads dropped DLL
                                  • Program crash
                                  • Suspicious behavior: GetForegroundWindowSpam
                                  PID:1052
                              • C:\Program Files (x86)\Company\NewProduct\jooyu.exe
                                "C:\Program Files (x86)\Company\NewProduct\jooyu.exe"
                                4⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Modifies system certificate store
                                PID:3052
                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2376
                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2884
                                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                  5⤵
                                  • Executes dropped EXE
                                  PID:2444
                            • C:\Users\Admin\Documents\_PGtoNEBVS2CUFVayF_TgRtN.exe
                              "C:\Users\Admin\Documents\_PGtoNEBVS2CUFVayF_TgRtN.exe"
                              3⤵
                              • Executes dropped EXE
                              PID:2512
                        • C:\Program Files\Internet Explorer\iexplore.exe
                          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                          1⤵
                          • Modifies Internet Explorer settings
                          • Suspicious behavior: GetForegroundWindowSpam
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:1120
                          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:275457 /prefetch:2
                            2⤵
                            • Modifies Internet Explorer settings
                            • NTFS ADS
                            • Suspicious use of SetWindowsHookEx
                            PID:1220
                        • C:\Windows\system32\rUNdlL32.eXe
                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                          1⤵
                          • Process spawned unexpected child process
                          • Suspicious use of WriteProcessMemory
                          PID:828
                          • C:\Windows\SysWOW64\rundll32.exe
                            rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                            2⤵
                            • Loads dropped DLL
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of WriteProcessMemory
                            PID:1920
                        • C:\Users\Admin\AppData\Local\Temp\E7DF.exe
                          C:\Users\Admin\AppData\Local\Temp\E7DF.exe
                          1⤵
                            PID:1928

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • memory/464-126-0x0000000003FD0000-0x000000000410D000-memory.dmp

                            Filesize

                            1.2MB

                            Download

                          • memory/524-107-0x0000000001350000-0x0000000001C76000-memory.dmp

                            Filesize

                            9.1MB

                            Download

                          • memory/524-110-0x0000000000400000-0x0000000000D41000-memory.dmp

                            Filesize

                            9.3MB

                            Download

                          • memory/848-128-0x0000000000060000-0x00000000000AE000-memory.dmp

                            Filesize

                            312KB

                            Download

                          • memory/848-129-0x0000000000460000-0x00000000004D4000-memory.dmp

                            Filesize

                            464KB

                            Download

                          • memory/868-111-0x0000000000840000-0x000000000088C000-memory.dmp

                            Filesize

                            304KB

                            Download

                          • memory/868-112-0x0000000001200000-0x0000000001271000-memory.dmp

                            Filesize

                            452KB

                            Download

                          • memory/1120-74-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1596-113-0x00000000004B0000-0x0000000000521000-memory.dmp

                            Filesize

                            452KB

                            Download

                          • memory/1920-108-0x0000000000AA0000-0x0000000000BA1000-memory.dmp

                            Filesize

                            1.0MB

                            Download

                          • memory/1920-109-0x0000000000970000-0x00000000009CD000-memory.dmp

                            Filesize

                            372KB

                            Download

                          • memory/1952-72-0x0000000000160000-0x0000000000161000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1952-70-0x0000000000150000-0x0000000000151000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1952-73-0x000000001AAE0000-0x000000001AAE2000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/1952-71-0x0000000000200000-0x000000000021C000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/1952-68-0x0000000000220000-0x0000000000221000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/1972-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

                            Filesize

                            8KB

                            Download

                          • memory/2036-212-0x0000000000400000-0x0000000000455000-memory.dmp

                            Filesize

                            340KB

                            Download

                          • memory/2124-198-0x0000000006E30000-0x0000000006E4A000-memory.dmp

                            Filesize

                            104KB

                            Download

                          • memory/2124-196-0x0000000004AC0000-0x0000000004ADC000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/2136-145-0x00000000002B0000-0x00000000002E0000-memory.dmp

                            Filesize

                            192KB

                            Download

                          • memory/2136-146-0x0000000000400000-0x0000000002CCD000-memory.dmp

                            Filesize

                            40.8MB

                            Download

                          • memory/2172-191-0x0000000001060000-0x0000000001061000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2248-171-0x0000000000220000-0x000000000022A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/2512-190-0x0000000000C60000-0x0000000000C61000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2556-180-0x0000000000400000-0x0000000000409000-memory.dmp

                            Filesize

                            36KB

                            Download

                          • memory/2596-189-0x0000000001040000-0x0000000001041000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2608-188-0x00000000011A0000-0x00000000011A1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2620-194-0x0000000000460000-0x0000000000476000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/2620-182-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

                            Filesize

                            4KB

                            Download

                          • memory/2688-219-0x0000000000400000-0x000000000067D000-memory.dmp

                            Filesize

                            2.5MB

                            Download