Resubmissions
15-10-2024 15:36
241015-s1zlzasdkc 1001-07-2024 18:32
240701-w6yteawhmq 1001-07-2024 14:52
240701-r82wmaxdnd 1001-07-2024 14:52
240701-r8syqa1dpp 1011-03-2024 21:22
240311-z8dsssgg58 1001-09-2021 13:18
210901-5bmxjspa5s 1001-09-2021 13:04
210901-te4btfspqa 1001-09-2021 05:12
210901-4wnkwm1p3j 1031-08-2021 21:47
210831-41rp97dma2 1031-08-2021 19:51
210831-359awwatje 10Analysis
-
max time kernel
113s -
max time network
1354s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
21-08-2021 07:49
General
-
Target
Setup (12).exe
-
Size
631KB
-
MD5
cb927513ff8ebff4dd52a47f7e42f934
-
SHA1
0de47c02a8adc4940a6c18621b4e4a619641d029
-
SHA256
fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f
-
SHA512
988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
Second_7.5K
C2
45.14.49.200:27625
Extracted
Family
redline
Botnet
www
C2
185.204.109.146:54891
Extracted
Family
smokeloader
Version
2020
C2
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
rc4.i32
rc4.i32
Extracted
Family
metasploit
Version
windows/single_exec
Extracted
Family
redline
C2
205.185.119.191:18846
Extracted
Family
redline
Botnet
20_8_rs
C2
jekorikani.xyz:80
Extracted
Family
redline
Botnet
dibild
C2
135.148.139.222:33569
Extracted
Family
redline
Botnet
19.08
C2
95.181.172.100:6795
Signatures
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba Payload 2 IoCs
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 17 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 32 IoCs
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 39 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 12 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 19 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 7 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Kills process with taskkill 4 IoCs
-
Modifies system certificate store 2 TTPs 7 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Script User-Agent 9 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup (12).exe"C:\Users\Admin\AppData\Local\Temp\Setup (12).exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\XgrwGAQkMvsH2pQxMy14F46a.exe"C:\Users\Admin\Documents\XgrwGAQkMvsH2pQxMy14F46a.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\DihZnmYfLyP_HNnei3NRBCWq.exe"C:\Users\Admin\Documents\DihZnmYfLyP_HNnei3NRBCWq.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\2460299.exe"C:\Users\Admin\AppData\Roaming\2460299.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2652 -s 17084⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\1935926.exe"C:\Users\Admin\AppData\Roaming\1935926.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"4⤵
- Executes dropped EXE
-
-
-
-
C:\Users\Admin\Documents\jcBKuIOkCNzQDgEqD89VNp3s.exe"C:\Users\Admin\Documents\jcBKuIOkCNzQDgEqD89VNp3s.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\jcBKuIOkCNzQDgEqD89VNp3s.exeC:\Users\Admin\Documents\jcBKuIOkCNzQDgEqD89VNp3s.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\LXsjF1wgGVohCNI4DBrmDkl0.exe"C:\Users\Admin\Documents\LXsjF1wgGVohCNI4DBrmDkl0.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\kY29YA7v9pd7ajF5Dch6UGYM.exe"C:\Users\Admin\Documents\kY29YA7v9pd7ajF5Dch6UGYM.exe"2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Documents\ry_BucaqOZdGksVtt1c68WK9.exe"C:\Users\Admin\Documents\ry_BucaqOZdGksVtt1c68WK9.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\RXbS9Cvu3iO8h1DLEYPj1I_F.exe"C:\Users\Admin\Documents\RXbS9Cvu3iO8h1DLEYPj1I_F.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\RXbS9Cvu3iO8h1DLEYPj1I_F.exe"C:\Users\Admin\Documents\RXbS9Cvu3iO8h1DLEYPj1I_F.exe"3⤵
-
-
-
C:\Users\Admin\Documents\3XrOzRySz0P1pHI0bML8YyKk.exe"C:\Users\Admin\Documents\3XrOzRySz0P1pHI0bML8YyKk.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\d7xafN1c_AQtnjYJccHAoeXv.exe"C:\Users\Admin\Documents\d7xafN1c_AQtnjYJccHAoeXv.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\d7xafN1c_AQtnjYJccHAoeXv.exeC:\Users\Admin\Documents\d7xafN1c_AQtnjYJccHAoeXv.exe3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\Uh0Lf_YAHWwfaGI0dZlJzpCU.exe"C:\Users\Admin\Documents\Uh0Lf_YAHWwfaGI0dZlJzpCU.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Documents\Uh0Lf_YAHWwfaGI0dZlJzpCU.exeC:\Users\Admin\Documents\Uh0Lf_YAHWwfaGI0dZlJzpCU.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\Documents\7sGbCBbXZckpgCuDuH6V7F2I.exe"C:\Users\Admin\Documents\7sGbCBbXZckpgCuDuH6V7F2I.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\QBk6SsWhOD_HArGogTz433eS.exe"C:\Users\Admin\Documents\QBk6SsWhOD_HArGogTz433eS.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\RfHrWOKTOAktpdx4bw2mlb1Q.exe"C:\Users\Admin\Documents\RfHrWOKTOAktpdx4bw2mlb1Q.exe"2⤵
-
C:\Users\Admin\Documents\RfHrWOKTOAktpdx4bw2mlb1Q.exe"C:\Users\Admin\Documents\RfHrWOKTOAktpdx4bw2mlb1Q.exe" -q3⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Documents\vyAs9ZLPJonkN0BjgfAMmqwF.exe"C:\Users\Admin\Documents\vyAs9ZLPJonkN0BjgfAMmqwF.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 9043⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\u70hjgDuFmVSczayDEq9Ko8P.exe"C:\Users\Admin\Documents\u70hjgDuFmVSczayDEq9Ko8P.exe"2⤵
-
-
C:\Users\Admin\Documents\1GtwcuX_pLCRovKswQ6KGJCw.exe"C:\Users\Admin\Documents\1GtwcuX_pLCRovKswQ6KGJCw.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-SHDPJ.tmp\1GtwcuX_pLCRovKswQ6KGJCw.tmp"C:\Users\Admin\AppData\Local\Temp\is-SHDPJ.tmp\1GtwcuX_pLCRovKswQ6KGJCw.tmp" /SL5="$10174,138429,56832,C:\Users\Admin\Documents\1GtwcuX_pLCRovKswQ6KGJCw.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-CTFEP.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-CTFEP.tmp\Setup.exe" /Verysilent4⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"C:\Program Files (x86)\GameBox INC\GameBox\LGCH2-401_2021-08-18_14-40.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 13606⤵
- Program crash
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe"C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-UE6U0.tmp\Inlog.tmp"C:\Users\Admin\AppData\Local\Temp\is-UE6U0.tmp\Inlog.tmp" /SL5="$30172,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\Inlog.exe" /Verysilent6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe"C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SID=717 CID=717 SILENT=1 /quiet5⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner 1.0.0\install\FD7DF1F\Cleaner Installation.msi" SID=717 CID=717 SILENT=1 /quiet AI_SETUPEXEPATH="C:\Program Files (x86)\GameBox INC\GameBox\Cleaner Installation.exe" SETUPEXEDIR="C:\Program Files (x86)\GameBox INC\GameBox\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629274550 SID=717 CID=717 SILENT=1 /quiet " SID="717" CID="717"6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe"C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-CRL1T.tmp\WEATHER Manager.tmp"C:\Users\Admin\AppData\Local\Temp\is-CRL1T.tmp\WEATHER Manager.tmp" /SL5="$201A2,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\WEATHER Manager.exe" /Verysilent6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-13VG2.tmp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\is-13VG2.tmp\Setup.exe" /quiet SILENT=1 AF=715 BF=7157⤵
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Weather\Weather 1.0.0\install\FD7DF1F\Weather Installation.msi" /quiet SILENT=1 AF=715 BF=715 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\is-13VG2.tmp\Setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\is-13VG2.tmp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1629274550 /quiet SILENT=1 AF=715 BF=715 " AF="715" AI_CONTROL_VISUAL_STYLE="16578540;16578540;14988840;12422912" BF="715"8⤵
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe"C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent5⤵
-
C:\Users\Admin\AppData\Local\Temp\is-TLCU3.tmp\VPN.tmp"C:\Users\Admin\AppData\Local\Temp\is-TLCU3.tmp\VPN.tmp" /SL5="$20174,138429,56832,C:\Program Files (x86)\GameBox INC\GameBox\VPN.exe" /Verysilent6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"C:\Program Files (x86)\GameBox INC\GameBox\md7_7dfj.exe"5⤵
-
-
C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"C:\Program Files (x86)\GameBox INC\GameBox\askinstall53.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2820 -s 4686⤵
- Program crash
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"C:\Program Files (x86)\GameBox INC\GameBox\MediaBurner2.exe"5⤵
-
-
C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"C:\Program Files (x86)\GameBox INC\GameBox\PBrowFile15.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\8744229.exe"C:\Users\Admin\AppData\Roaming\8744229.exe"6⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3780 -s 8647⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\5875555.exe"C:\Users\Admin\AppData\Roaming\5875555.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\7014380.exe"C:\Users\Admin\AppData\Roaming\7014380.exe"6⤵
-
-
C:\Users\Admin\AppData\Roaming\8217679.exe"C:\Users\Admin\AppData\Roaming\8217679.exe"6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"5⤵
-
C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe"C:\Program Files (x86)\GameBox INC\GameBox\zhaoy-game.exe" -q6⤵
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"C:\Program Files (x86)\GameBox INC\GameBox\LivelyScreenRecS1.9.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\tmpAD50_tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpAD50_tmp.exe"6⤵
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\System32\dllhost.exe"7⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Eravate.wks7⤵
-
C:\Windows\SysWOW64\cmd.execmd8⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^ULDdlRJfZsbrDapCbeEYycZEgRIWBtYuQhzBPWvHncPJJvLmMbGEuHBnMZeapMOUzsjfZIMBGWAJGfVSyolrbxqpLUPQTrnLHUdspcArKyXpiRSvrlhqBKbYsrEtT$" Una.wks9⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comEsplorarne.exe.com i9⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i10⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i11⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i12⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i13⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i14⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i15⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i16⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i17⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i18⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i19⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i20⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i21⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i22⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i23⤵
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Esplorarne.exe.com i24⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping MRBKYMNO -n 309⤵
- Runs ping.exe
-
-
-
-
-
-
C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"C:\Program Files (x86)\GameBox INC\GameBox\xtect12.exe"5⤵
-
C:\Users\Admin\Documents\H67mRZuB3StT6Qh9pyDqufZG.exe"C:\Users\Admin\Documents\H67mRZuB3StT6Qh9pyDqufZG.exe"6⤵
-
C:\Users\Admin\Documents\H67mRZuB3StT6Qh9pyDqufZG.exe"C:\Users\Admin\Documents\H67mRZuB3StT6Qh9pyDqufZG.exe"7⤵
-
-
-
C:\Users\Admin\Documents\plt9xCly0sGk0sDDY_c3Gzpl.exe"C:\Users\Admin\Documents\plt9xCly0sGk0sDDY_c3Gzpl.exe"6⤵
-
-
C:\Users\Admin\Documents\1_ZUn7vD3qN4IRBF1zQ54mCd.exe"C:\Users\Admin\Documents\1_ZUn7vD3qN4IRBF1zQ54mCd.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "1_ZUn7vD3qN4IRBF1zQ54mCd.exe" /f & erase "C:\Users\Admin\Documents\1_ZUn7vD3qN4IRBF1zQ54mCd.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "1_ZUn7vD3qN4IRBF1zQ54mCd.exe" /f8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\7FqrMOEqCdaZeIXVikjt_NAr.exe"C:\Users\Admin\Documents\7FqrMOEqCdaZeIXVikjt_NAr.exe"6⤵
-
-
C:\Users\Admin\Documents\aLsqARb7xrjg3H7os846WIfV.exe"C:\Users\Admin\Documents\aLsqARb7xrjg3H7os846WIfV.exe"6⤵
-
-
C:\Users\Admin\Documents\4tZN3BFlzJFUeo5amgctqM9y.exe"C:\Users\Admin\Documents\4tZN3BFlzJFUeo5amgctqM9y.exe"6⤵
-
-
C:\Users\Admin\Documents\uK9mZw1c67meGBHjrahRwc5o.exe"C:\Users\Admin\Documents\uK9mZw1c67meGBHjrahRwc5o.exe"6⤵
-
-
C:\Users\Admin\Documents\Ycy0bgQPqaTulOYA_icjm3tP.exe"C:\Users\Admin\Documents\Ycy0bgQPqaTulOYA_icjm3tP.exe"6⤵
-
C:\Users\Admin\Documents\Ycy0bgQPqaTulOYA_icjm3tP.exeC:\Users\Admin\Documents\Ycy0bgQPqaTulOYA_icjm3tP.exe7⤵
-
-
C:\Users\Admin\Documents\Ycy0bgQPqaTulOYA_icjm3tP.exeC:\Users\Admin\Documents\Ycy0bgQPqaTulOYA_icjm3tP.exe7⤵
-
-
C:\Users\Admin\Documents\Ycy0bgQPqaTulOYA_icjm3tP.exeC:\Users\Admin\Documents\Ycy0bgQPqaTulOYA_icjm3tP.exe7⤵
-
-
C:\Users\Admin\Documents\Ycy0bgQPqaTulOYA_icjm3tP.exeC:\Users\Admin\Documents\Ycy0bgQPqaTulOYA_icjm3tP.exe7⤵
-
-
-
C:\Users\Admin\Documents\QWX2JeVWbPmWQfswk4s9lCsW.exe"C:\Users\Admin\Documents\QWX2JeVWbPmWQfswk4s9lCsW.exe"6⤵
-
-
C:\Users\Admin\Documents\yiUil2w9NLtxS__546v8Rmd4.exe"C:\Users\Admin\Documents\yiUil2w9NLtxS__546v8Rmd4.exe"6⤵
-
C:\Users\Admin\Documents\yiUil2w9NLtxS__546v8Rmd4.exe"C:\Users\Admin\Documents\yiUil2w9NLtxS__546v8Rmd4.exe" -q7⤵
-
-
-
C:\Users\Admin\Documents\ODSakfnNT22XB2UO7Xl1gnxd.exe"C:\Users\Admin\Documents\ODSakfnNT22XB2UO7Xl1gnxd.exe"6⤵
-
-
C:\Users\Admin\Documents\kgy28BY1dCz3Bdp38ubaeJ6Q.exe"C:\Users\Admin\Documents\kgy28BY1dCz3Bdp38ubaeJ6Q.exe"6⤵
-
-
C:\Users\Admin\Documents\M2o757uoGqeY75nW_ubsTFTC.exe"C:\Users\Admin\Documents\M2o757uoGqeY75nW_ubsTFTC.exe"6⤵
-
-
C:\Users\Admin\Documents\vEbsIWHisZtnc_DB1499SiAe.exe"C:\Users\Admin\Documents\vEbsIWHisZtnc_DB1499SiAe.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im vEbsIWHisZtnc_DB1499SiAe.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\vEbsIWHisZtnc_DB1499SiAe.exe" & del C:\ProgramData\*.dll & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im vEbsIWHisZtnc_DB1499SiAe.exe /f8⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 68⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Documents\9EVwIY8murLFMss4YtMN3E3V.exe"C:\Users\Admin\Documents\9EVwIY8murLFMss4YtMN3E3V.exe"6⤵
-
C:\Users\Admin\Documents\9EVwIY8murLFMss4YtMN3E3V.exeC:\Users\Admin\Documents\9EVwIY8murLFMss4YtMN3E3V.exe7⤵
-
-
-
C:\Users\Admin\Documents\RtU2Bjq4lu919suEVDGgx9l7.exe"C:\Users\Admin\Documents\RtU2Bjq4lu919suEVDGgx9l7.exe"6⤵
-
-
C:\Users\Admin\Documents\CcLJEWM3IsWougeRZDd1kT0I.exe"C:\Users\Admin\Documents\CcLJEWM3IsWougeRZDd1kT0I.exe"6⤵
-
C:\Users\Admin\Documents\CcLJEWM3IsWougeRZDd1kT0I.exeC:\Users\Admin\Documents\CcLJEWM3IsWougeRZDd1kT0I.exe7⤵
-
-
-
C:\Users\Admin\Documents\YmtNTOtygF5ewLODX9dnaRwo.exe"C:\Users\Admin\Documents\YmtNTOtygF5ewLODX9dnaRwo.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\8424068.exe"C:\Users\Admin\AppData\Roaming\8424068.exe"7⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2076 -s 15928⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Roaming\2433618.exe"C:\Users\Admin\AppData\Roaming\2433618.exe"7⤵
-
-
-
C:\Users\Admin\Documents\Fs7lqeQipqh6B6mJBmhsAMK6.exe"C:\Users\Admin\Documents\Fs7lqeQipqh6B6mJBmhsAMK6.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\is-7LFG7.tmp\Fs7lqeQipqh6B6mJBmhsAMK6.tmp"C:\Users\Admin\AppData\Local\Temp\is-7LFG7.tmp\Fs7lqeQipqh6B6mJBmhsAMK6.tmp" /SL5="$30190,138429,56832,C:\Users\Admin\Documents\Fs7lqeQipqh6B6mJBmhsAMK6.exe"7⤵
-
-
-
-
-
-
-
C:\Users\Admin\Documents\0NCzzXRSUvN_vgt1iTCuMYZ4.exe"C:\Users\Admin\Documents\0NCzzXRSUvN_vgt1iTCuMYZ4.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "0NCzzXRSUvN_vgt1iTCuMYZ4.exe" /f & erase "C:\Users\Admin\Documents\0NCzzXRSUvN_vgt1iTCuMYZ4.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "0NCzzXRSUvN_vgt1iTCuMYZ4.exe" /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Documents\_wCh0_pk12twdESVfAzeVdRH.exe"C:\Users\Admin\Documents\_wCh0_pk12twdESVfAzeVdRH.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\0EFsImdCwwhWEnQxPLFMyAnl.exe"C:\Users\Admin\Documents\0EFsImdCwwhWEnQxPLFMyAnl.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt4⤵
-
-
-
-
C:\Users\Admin\Documents\PSVXcmxDRsAtSqUpBp52BE74.exe"C:\Users\Admin\Documents\PSVXcmxDRsAtSqUpBp52BE74.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "PSVXcmxDRsAtSqUpBp52BE74.exe" /f & erase "C:\Users\Admin\Documents\PSVXcmxDRsAtSqUpBp52BE74.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "PSVXcmxDRsAtSqUpBp52BE74.exe" /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\5CB.exeC:\Users\Admin\AppData\Local\Temp\5CB.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\5CB.exeC:\Users\Admin\AppData\Local\Temp\5CB.exe2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a0c25802-c1bd-47e1-a4ae-e0467dffc4cb" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
-
C:\Users\Admin\AppData\Local\Temp\5CB.exe"C:\Users\Admin\AppData\Local\Temp\5CB.exe" --Admin IsNotAutoStart IsNotTask3⤵
-
C:\Users\Admin\AppData\Local\Temp\5CB.exe"C:\Users\Admin\AppData\Local\Temp\5CB.exe" --Admin IsNotAutoStart IsNotTask4⤵
-
C:\Users\Admin\AppData\Local\047d499f-5aa2-4bdd-ab60-e80e1fc7c2f2\build2.exe"C:\Users\Admin\AppData\Local\047d499f-5aa2-4bdd-ab60-e80e1fc7c2f2\build2.exe"5⤵
-
C:\Users\Admin\AppData\Local\047d499f-5aa2-4bdd-ab60-e80e1fc7c2f2\build2.exe"C:\Users\Admin\AppData\Local\047d499f-5aa2-4bdd-ab60-e80e1fc7c2f2\build2.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 9127⤵
- Program crash
-
-
-
-
C:\Users\Admin\AppData\Local\047d499f-5aa2-4bdd-ab60-e80e1fc7c2f2\build3.exe"C:\Users\Admin\AppData\Local\047d499f-5aa2-4bdd-ab60-e80e1fc7c2f2\build3.exe"5⤵
-
C:\Users\Admin\AppData\Local\047d499f-5aa2-4bdd-ab60-e80e1fc7c2f2\build3.exe"C:\Users\Admin\AppData\Local\047d499f-5aa2-4bdd-ab60-e80e1fc7c2f2\build3.exe"6⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"7⤵
- Creates scheduled task(s)
-
-
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85F5B6A1AA5EDC4EF3DF8EF424C04356 C2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A31854E9D7B2E6A4A5D0C0395DABE96E2⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 515127152457B2A0D9C486DDBA853471 C2⤵
-
-
C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"C:\Users\Admin\AppData\Roaming\Cleaner\Cleaner\prerequisites\aipackagechainer.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\1C96.exeC:\Users\Admin\AppData\Local\Temp\1C96.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\4A2C.exeC:\Users\Admin\AppData\Local\Temp\4A2C.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7D9C.exeC:\Users\Admin\AppData\Local\Temp\7D9C.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe"C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\3⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\bd1299733e\4⤵
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN rnyuf.exe /TR "C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe" /F3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\F442.exeC:\Users\Admin\AppData\Local\Temp\F442.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\7uSWD2TTcC.exe"C:\Users\Admin\AppData\Local\Temp\7uSWD2TTcC.exe"2⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\AppData\Local\Temp\kj98jDGFJ5.exe"C:\Users\Admin\AppData\Local\Temp\kj98jDGFJ5.exe"2⤵
- Suspicious use of SetThreadContext
-
C:\Windows\SysWOW64\cmd.execmd /Q /C C:\Users\Admin\AppData\Local\Temp/s.bat3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\F442.exe"2⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /T 10 /NOBREAK3⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {D3A37AC0-5320-4B74-B647-A4906D29FE45} S-1-5-21-2513283230-931923277-594887482-1000:MRBKYMNO\Admin:Interactive:[1]1⤵
-
C:\Users\Admin\AppData\Local\a0c25802-c1bd-47e1-a4ae-e0467dffc4cb\5CB.exeC:\Users\Admin\AppData\Local\a0c25802-c1bd-47e1-a4ae-e0467dffc4cb\5CB.exe --Task2⤵
-
C:\Users\Admin\AppData\Local\a0c25802-c1bd-47e1-a4ae-e0467dffc4cb\5CB.exeC:\Users\Admin\AppData\Local\a0c25802-c1bd-47e1-a4ae-e0467dffc4cb\5CB.exe --Task3⤵
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe2⤵
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe3⤵
-
C:\Windows\SysWOW64\schtasks.exe/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"4⤵
- Creates scheduled task(s)
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exeC:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe2⤵
-
-
C:\Users\Admin\AppData\Roaming\iudubtrC:\Users\Admin\AppData\Roaming\iudubtr2⤵
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exeC:\Users\Admin\AppData\Roaming\Microsoft\Network\sqlcmd.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exeC:\Users\Admin\AppData\Local\Temp\bd1299733e\rnyuf.exe2⤵
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1File and Directory Permissions Modification
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31.7MB
-
Filesize
36KB
-
Filesize
1.2MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
9.1MB
-
Filesize
35.9MB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
40.8MB
-
Filesize
112KB
-
Filesize
188KB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
188KB
-
Filesize
31.7MB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
31.7MB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
24KB