redline | 022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38

Analysis

max time kernel
151s
max time network
184s
platform
windows7_x64
resource
win7v20210408
submitted
05-09-2021 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14644CC2D4377E98E15DA8E998EE6B54.exe
Size

4.6MB
MD5

14644cc2d4377e98e15da8e998ee6b54
SHA1

c5c38e0c6df24bb414081d9221bf0e300a823c9c
SHA256

022fc71a6661ab3d6efc0f7d3e560a05cceb22b31081e7cb5d882b01921d5e38
SHA512

8f0e8377d373f40de089122c125de9228903fb300ed8ad303d62c7a8289e0628361f55996fc58f04456c431990a8a845e30d7c0054982a47d808b4e5c95034e2

Score

10^/10

redline vidar vkeylogger 706 aspackv2 infostealer keylogger stealer suricata

Malware Config

Extracted

Family

vidar

Version

40.3

Botnet

706

https://lenko349.tumblr.com/

Attributes

profile_id
706

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2140	rundll32.exe	52

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral1/memory/2580-245-0x0000000000420000-0x000000000044E000-memory.dmp	family_redline

VKeylogger
A keylogger first seen in Nov 2020.
stealer keylogger vkeylogger

VKeylogger Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3152-348-0x0000000000240000-0x000000000024E000-memory.dmp	family_vkeylogger
behavioral1/memory/3152-353-0x0000000000400000-0x0000000002CBE000-memory.dmp	family_vkeylogger

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata: ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01
suricata
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata: ET MALWARE JS/Nemucod.M.gen downloading EXE payload
suricata
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata: ET MALWARE Observed Win32/Ymacco.AA36 User-Agent
suricata
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata: ET MALWARE Win32/Tnega Activity (GET)
suricata

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral1/memory/612-194-0x0000000000400000-0x0000000002BB2000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00040000000130cb-68.dat	aspack_v212_v242
behavioral1/files/0x00040000000130c9-71.dat	aspack_v212_v242
behavioral1/files/0x00040000000130c9-70.dat	aspack_v212_v242
behavioral1/files/0x00040000000130cb-69.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d1-74.dat	aspack_v212_v242
behavioral1/files/0x00030000000130d1-75.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
1128	setup_install.exe
668	Wed220a78e02f9cdc2.exe
1876	Wed2235d696e09087db.exe
920	Wed2276f461788d71.exe
812	Wed2276a59f98c5.exe
1056	Wed226a1ef36724b3ee.exe

Loads dropped DLL 18 IoCs

pid	Process
1652	14644CC2D4377E98E15DA8E998EE6B54.exe
1652	14644CC2D4377E98E15DA8E998EE6B54.exe
1652	14644CC2D4377E98E15DA8E998EE6B54.exe
1128	setup_install.exe
1128	setup_install.exe
1128	setup_install.exe
1128	setup_install.exe
1128	setup_install.exe
1128	setup_install.exe
1128	setup_install.exe
1128	setup_install.exe
316	cmd.exe
1620	cmd.exe
616	cmd.exe
1204	cmd.exe
1476	cmd.exe
1624	cmd.exe
1624	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
225	ipinfo.io
227	ipinfo.io
32	ipinfo.io
33	ipinfo.io
51	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2064	2296	WerFault.exe	57
3844	612	WerFault.exe	42
1364	3200	WerFault.exe	96

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3488	schtasks.exe
2092	schtasks.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
4524	taskkill.exe
2312	taskkill.exe
4052	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1128	1652	14644CC2D4377E98E15DA8E998EE6B54.exe	26
PID 1652 wrote to memory of 1128	1652	14644CC2D4377E98E15DA8E998EE6B54.exe	26
PID 1652 wrote to memory of 1128	1652	14644CC2D4377E98E15DA8E998EE6B54.exe	26
PID 1652 wrote to memory of 1128	1652	14644CC2D4377E98E15DA8E998EE6B54.exe	26
PID 1652 wrote to memory of 1128	1652	14644CC2D4377E98E15DA8E998EE6B54.exe	26
PID 1652 wrote to memory of 1128	1652	14644CC2D4377E98E15DA8E998EE6B54.exe	26
PID 1652 wrote to memory of 1128	1652	14644CC2D4377E98E15DA8E998EE6B54.exe	26
PID 1128 wrote to memory of 1672	1128	setup_install.exe	28
PID 1128 wrote to memory of 1672	1128	setup_install.exe	28
PID 1128 wrote to memory of 1672	1128	setup_install.exe	28
PID 1128 wrote to memory of 1672	1128	setup_install.exe	28
PID 1128 wrote to memory of 1672	1128	setup_install.exe	28
PID 1128 wrote to memory of 1672	1128	setup_install.exe	28
PID 1128 wrote to memory of 1672	1128	setup_install.exe	28
PID 1128 wrote to memory of 316	1128	setup_install.exe	29
PID 1128 wrote to memory of 316	1128	setup_install.exe	29
PID 1128 wrote to memory of 316	1128	setup_install.exe	29
PID 1128 wrote to memory of 316	1128	setup_install.exe	29
PID 1128 wrote to memory of 316	1128	setup_install.exe	29
PID 1128 wrote to memory of 316	1128	setup_install.exe	29
PID 1128 wrote to memory of 316	1128	setup_install.exe	29
PID 1128 wrote to memory of 1204	1128	setup_install.exe	30
PID 1128 wrote to memory of 1204	1128	setup_install.exe	30
PID 1128 wrote to memory of 1204	1128	setup_install.exe	30
PID 1128 wrote to memory of 1204	1128	setup_install.exe	30
PID 1128 wrote to memory of 1204	1128	setup_install.exe	30
PID 1128 wrote to memory of 1204	1128	setup_install.exe	30
PID 1128 wrote to memory of 1204	1128	setup_install.exe	30
PID 1128 wrote to memory of 1620	1128	setup_install.exe	31
PID 1128 wrote to memory of 1620	1128	setup_install.exe	31
PID 1128 wrote to memory of 1620	1128	setup_install.exe	31
PID 1128 wrote to memory of 1620	1128	setup_install.exe	31
PID 1128 wrote to memory of 1620	1128	setup_install.exe	31
PID 1128 wrote to memory of 1620	1128	setup_install.exe	31
PID 1128 wrote to memory of 1620	1128	setup_install.exe	31
PID 1128 wrote to memory of 1624	1128	setup_install.exe	32
PID 1128 wrote to memory of 1624	1128	setup_install.exe	32
PID 1128 wrote to memory of 1624	1128	setup_install.exe	32
PID 1128 wrote to memory of 1624	1128	setup_install.exe	32
PID 1128 wrote to memory of 1624	1128	setup_install.exe	32
PID 1128 wrote to memory of 1624	1128	setup_install.exe	32
PID 1128 wrote to memory of 1624	1128	setup_install.exe	32
PID 1672 wrote to memory of 1588	1672	cmd.exe	33
PID 1672 wrote to memory of 1588	1672	cmd.exe	33
PID 1672 wrote to memory of 1588	1672	cmd.exe	33
PID 1672 wrote to memory of 1588	1672	cmd.exe	33
PID 1672 wrote to memory of 1588	1672	cmd.exe	33
PID 1672 wrote to memory of 1588	1672	cmd.exe	33
PID 1672 wrote to memory of 1588	1672	cmd.exe	33
PID 316 wrote to memory of 668	316	cmd.exe	45
PID 316 wrote to memory of 668	316	cmd.exe	45
PID 316 wrote to memory of 668	316	cmd.exe	45
PID 316 wrote to memory of 668	316	cmd.exe	45
PID 316 wrote to memory of 668	316	cmd.exe	45
PID 316 wrote to memory of 668	316	cmd.exe	45
PID 316 wrote to memory of 668	316	cmd.exe	45
PID 1128 wrote to memory of 616	1128	setup_install.exe	34
PID 1128 wrote to memory of 616	1128	setup_install.exe	34
PID 1128 wrote to memory of 616	1128	setup_install.exe	34
PID 1128 wrote to memory of 616	1128	setup_install.exe	34
PID 1128 wrote to memory of 616	1128	setup_install.exe	34
PID 1128 wrote to memory of 616	1128	setup_install.exe	34
PID 1128 wrote to memory of 616	1128	setup_install.exe	34
PID 1128 wrote to memory of 864	1128	setup_install.exe	44

C:\Users\Admin\AppData\Local\Temp\14644CC2D4377E98E15DA8E998EE6B54.exe
"C:\Users\Admin\AppData\Local\Temp\14644CC2D4377E98E15DA8E998EE6B54.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed220a78e02f9cdc2.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\Wed220a78e02f9cdc2.exe
      Wed220a78e02f9cdc2.exe
      4⤵
      Executes dropped EXE
      PID:668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed226a1ef36724b3ee.exe
    3⤵
    - Loads dropped DLL
    PID:1204
  - - C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\Wed226a1ef36724b3ee.exe
      Wed226a1ef36724b3ee.exe
      4⤵
      Executes dropped EXE
      PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2235d696e09087db.exe
    3⤵
    - Loads dropped DLL
    PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\Wed2235d696e09087db.exe
      Wed2235d696e09087db.exe
      4⤵
      Executes dropped EXE
      PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffApp2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX0\KiffApp2.exe"
        5⤵
        
        PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed22ba1658550.exe
    3⤵
    - Loads dropped DLL
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\Wed22ba1658550.exe
      Wed22ba1658550.exe
      4⤵
      PID:612
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 612 -s 968
        5⤵
        Program crash
        
        PID:3844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2276f461788d71.exe
    3⤵
    - Loads dropped DLL
    PID:616
  - - C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\Wed2276f461788d71.exe
      Wed2276f461788d71.exe
      4⤵
      Executes dropped EXE
      PID:920
    - - C:\Users\Admin\AppData\Local\Temp\is-6F77L.tmp\Wed2276f461788d71.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-6F77L.tmp\Wed2276f461788d71.tmp" /SL5="$1018A,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\Wed2276f461788d71.exe"
        5⤵
        
        PID:1576
      - C:\Users\Admin\AppData\Local\Temp\is-SGHTH.tmp\zab2our.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-SGHTH.tmp\zab2our.exe" /S /UID=burnerch2
        6⤵
        
        PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2276a59f98c5.exe
    3⤵
    - Loads dropped DLL
    PID:1476
  - - C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\Wed2276a59f98c5.exe
      Wed2276a59f98c5.exe
      4⤵
      Executes dropped EXE
      PID:812
    - - C:\Users\Admin\AppData\Roaming\8126059.exe
        
        "C:\Users\Admin\AppData\Roaming\8126059.exe"
        5⤵
        
        PID:2420
    - - C:\Users\Admin\AppData\Roaming\2785173.exe
        
        "C:\Users\Admin\AppData\Roaming\2785173.exe"
        5⤵
        
        PID:2552
      - C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        6⤵
        
        PID:2512
    - - C:\Users\Admin\AppData\Roaming\5881713.exe
        
        "C:\Users\Admin\AppData\Roaming\5881713.exe"
        5⤵
        
        PID:2580
    - - C:\Users\Admin\AppData\Roaming\3505288.exe
        
        "C:\Users\Admin\AppData\Roaming\3505288.exe"
        5⤵
        
        PID:2988
    - - C:\Users\Admin\AppData\Roaming\4003246.exe
        
        "C:\Users\Admin\AppData\Roaming\4003246.exe"
        5⤵
        
        PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed22e50546816d16.exe
    3⤵
    PID:856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed2259ec17c7e3de63.exe
    3⤵
    PID:1300
  - - C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\Wed2259ec17c7e3de63.exe
      Wed2259ec17c7e3de63.exe
      4⤵
      PID:960
    - - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        5⤵
        
        PID:1932
      - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        6⤵
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        7⤵
        
        PID:300
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        8⤵
        Creates scheduled task(s)
        
        PID:3488
        
        C:\Users\Admin\AppData\Roaming\services64.exe
        
        "C:\Users\Admin\AppData\Roaming\services64.exe"
        7⤵
        
        PID:3592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit
        8⤵
        
        PID:2996
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"'
        9⤵
        Creates scheduled task(s)
        
        PID:2092
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
        8⤵
        
        PID:2672
      - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        6⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Roaming\7831543.exe
        
        "C:\Users\Admin\AppData\Roaming\7831543.exe"
        7⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Roaming\8668964.exe
        
        "C:\Users\Admin\AppData\Roaming\8668964.exe"
        7⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Roaming\7081070.exe
        
        "C:\Users\Admin\AppData\Roaming\7081070.exe"
        7⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Roaming\3920056.exe
        
        "C:\Users\Admin\AppData\Roaming\3920056.exe"
        7⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\8970369.exe
        
        "C:\Users\Admin\AppData\Roaming\8970369.exe"
        7⤵
        
        PID:2856
      - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        6⤵
        
        PID:2296
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2296 -s 1392
        7⤵
        Program crash
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        7⤵
        
        PID:524
      - C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        6⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\is-A6PRU.tmp\setup_2.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-A6PRU.tmp\setup_2.tmp" /SL5="$101C2,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe"
        7⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\setup_2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
        8⤵
        
        PID:300
      - C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe"
        6⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\3002.exe
        
        "C:\Users\Admin\AppData\Local\Temp\3002.exe" -a
        7⤵
        
        PID:2832
      - C:\Users\Admin\AppData\Local\Temp\jhuuee.exe
        
        "C:\Users\Admin\AppData\Local\Temp\jhuuee.exe"
        6⤵
        
        PID:2688
      - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        6⤵
        
        PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Wed220ea31c8d2529.exe
    3⤵
    PID:864

C:\Users\Admin\AppData\Local\Temp\7zS4765CEF4\Wed220ea31c8d2529.exe
Wed220ea31c8d2529.exe
1⤵
PID:1784
- C:\Users\Admin\Documents\tnKKcjRfiw_bO_DCIVvQhCJq.exe
  "C:\Users\Admin\Documents\tnKKcjRfiw_bO_DCIVvQhCJq.exe"
  2⤵
  PID:604
- C:\Users\Admin\Documents\4zPy_yud5axqMaTUrjtq62mo.exe
  "C:\Users\Admin\Documents\4zPy_yud5axqMaTUrjtq62mo.exe"
  2⤵
  PID:3212
- - C:\Program Files (x86)\Company\NewProduct\inst001.exe
    "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
    3⤵
    PID:1088
- - C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
    "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
    3⤵
    PID:1300
- - C:\Program Files (x86)\Company\NewProduct\cutm3.exe
    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
    3⤵
    PID:2024
- C:\Users\Admin\Documents\oJ3dsgUiHBGBV6QvqrqT4x9z.exe
  "C:\Users\Admin\Documents\oJ3dsgUiHBGBV6QvqrqT4x9z.exe"
  2⤵
  PID:3200
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 984
    3⤵
    - Program crash
    PID:1364
- C:\Users\Admin\Documents\3ePu_al2HsNgljzh7A81IzR_.exe
  "C:\Users\Admin\Documents\3ePu_al2HsNgljzh7A81IzR_.exe"
  2⤵
  PID:3192
- C:\Users\Admin\Documents\jxE3skDuuZFhpBvqZ9ablMzl.exe
  "C:\Users\Admin\Documents\jxE3skDuuZFhpBvqZ9ablMzl.exe"
  2⤵
  PID:3184
- C:\Users\Admin\Documents\5cqu_6X4jEGmp6UHVZSvuwiY.exe
  "C:\Users\Admin\Documents\5cqu_6X4jEGmp6UHVZSvuwiY.exe"
  2⤵
  PID:3176
- C:\Users\Admin\Documents\jmYSpcPsPxAAd7m6ImR0o65b.exe
  "C:\Users\Admin\Documents\jmYSpcPsPxAAd7m6ImR0o65b.exe"
  2⤵
  PID:3168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:432
- C:\Users\Admin\Documents\3httLvqo6CDVNmmH3s1XB13i.exe
  "C:\Users\Admin\Documents\3httLvqo6CDVNmmH3s1XB13i.exe"
  2⤵
  PID:3160
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\DPRwKy.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\DPRwKy.exe"
    3⤵
    PID:3748
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\UopEIp.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\UopEIp.exe"
    3⤵
    PID:3584
- C:\Users\Admin\Documents\qLyDhValRzJ0pPozoGV1hRNb.exe
  "C:\Users\Admin\Documents\qLyDhValRzJ0pPozoGV1hRNb.exe"
  2⤵
  PID:3152
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:4044
- C:\Users\Admin\Documents\siHMebj5fzKm_cUXDswEvzma.exe
  "C:\Users\Admin\Documents\siHMebj5fzKm_cUXDswEvzma.exe"
  2⤵
  PID:3144
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "siHMebj5fzKm_cUXDswEvzma.exe" /f & erase "C:\Users\Admin\Documents\siHMebj5fzKm_cUXDswEvzma.exe" & exit
    3⤵
    PID:2716
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "siHMebj5fzKm_cUXDswEvzma.exe" /f
      4⤵
      Kills process with taskkill
      PID:4052
- C:\Users\Admin\Documents\XDv00uCp19rtoDL_PWEXtKQF.exe
  "C:\Users\Admin\Documents\XDv00uCp19rtoDL_PWEXtKQF.exe"
  2⤵
  PID:3136
- - C:\Users\Admin\AppData\Roaming\2245986.exe
    "C:\Users\Admin\AppData\Roaming\2245986.exe"
    3⤵
    PID:240
- - C:\Users\Admin\AppData\Roaming\4535279.exe
    "C:\Users\Admin\AppData\Roaming\4535279.exe"
    3⤵
    PID:1784
- - C:\Users\Admin\AppData\Roaming\1034802.exe
    "C:\Users\Admin\AppData\Roaming\1034802.exe"
    3⤵
    PID:2900
- - C:\Users\Admin\AppData\Roaming\8392939.exe
    "C:\Users\Admin\AppData\Roaming\8392939.exe"
    3⤵
    PID:4380
- C:\Users\Admin\Documents\qKWyq0DZqB7GgDA1xDiUEtbH.exe
  "C:\Users\Admin\Documents\qKWyq0DZqB7GgDA1xDiUEtbH.exe"
  2⤵
  PID:3124
- C:\Users\Admin\Documents\jFt97rbYYrHto2OqtV9TESqW.exe
  "C:\Users\Admin\Documents\jFt97rbYYrHto2OqtV9TESqW.exe"
  2⤵
  PID:3112
- C:\Users\Admin\Documents\RV01g16loBd9osBXUv76ZFSz.exe
  "C:\Users\Admin\Documents\RV01g16loBd9osBXUv76ZFSz.exe"
  2⤵
  PID:3100
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "RV01g16loBd9osBXUv76ZFSz.exe" /f & erase "C:\Users\Admin\Documents\RV01g16loBd9osBXUv76ZFSz.exe" & exit
    3⤵
    PID:4252
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "RV01g16loBd9osBXUv76ZFSz.exe" /f
      4⤵
      Kills process with taskkill
      PID:4524
- C:\Users\Admin\Documents\QKbrAkDbaYwByykql7ORFwak.exe
  "C:\Users\Admin\Documents\QKbrAkDbaYwByykql7ORFwak.exe"
  2⤵
  PID:3084
- C:\Users\Admin\Documents\UIS9_fAaOFTgsKjc_8GrPzP4.exe
  "C:\Users\Admin\Documents\UIS9_fAaOFTgsKjc_8GrPzP4.exe"
  2⤵
  PID:2676
- C:\Users\Admin\Documents\UBGcv1IYECEpcW6dJKzHqovj.exe
  "C:\Users\Admin\Documents\UBGcv1IYECEpcW6dJKzHqovj.exe"
  2⤵
  PID:2840
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VbScRIpt: CloSE ( CReATEobJECT ( "WscrIpt.SheLL").Run( "cmD.exe /Q /c TYPE ""C:\Users\Admin\Documents\UBGcv1IYECEpcW6dJKzHqovj.exe"" > X4d4XArNWDu.eXE&& StArt X4D4XarNWDu.Exe -PXPoqL0iOUHHP7hXFattB5ZvsV & if """"== """" for %A IN (""C:\Users\Admin\Documents\UBGcv1IYECEpcW6dJKzHqovj.exe"" ) do taskkill /f -im ""%~nxA"" " , 0, trUE ) )
    3⤵
    PID:3608
- C:\Users\Admin\Documents\aFuBKoEcT3UtzxYbaaQaxg4E.exe
  "C:\Users\Admin\Documents\aFuBKoEcT3UtzxYbaaQaxg4E.exe"
  2⤵
  PID:2696
- C:\Users\Admin\Documents\EGSslGEz7K9Ub0xmBqQxJROk.exe
  "C:\Users\Admin\Documents\EGSslGEz7K9Ub0xmBqQxJROk.exe"
  2⤵
  PID:2684
- C:\Users\Admin\Documents\1OdyNusxfay18CwZaTGduEoH.exe
  "C:\Users\Admin\Documents\1OdyNusxfay18CwZaTGduEoH.exe"
  2⤵
  PID:2268
- C:\Users\Admin\Documents\j6BcAs5MvvBPzIlDosTyM4EF.exe
  "C:\Users\Admin\Documents\j6BcAs5MvvBPzIlDosTyM4EF.exe"
  2⤵
  PID:1836
- - C:\Users\Admin\Documents\j6BcAs5MvvBPzIlDosTyM4EF.exe
    "C:\Users\Admin\Documents\j6BcAs5MvvBPzIlDosTyM4EF.exe"
    3⤵
    PID:3964
- C:\Users\Admin\Documents\ALOcTMBua_SinrMsu3oVH48Q.exe
  "C:\Users\Admin\Documents\ALOcTMBua_SinrMsu3oVH48Q.exe"
  2⤵
  PID:3260
- C:\Users\Admin\Documents\A5J2Wwz_eSYFcgNKzaYH69yz.exe
  "C:\Users\Admin\Documents\A5J2Wwz_eSYFcgNKzaYH69yz.exe"
  2⤵
  PID:3252
- - C:\Users\Admin\Documents\A5J2Wwz_eSYFcgNKzaYH69yz.exe
    "C:\Users\Admin\Documents\A5J2Wwz_eSYFcgNKzaYH69yz.exe"
    3⤵
    PID:4712
- C:\Users\Admin\Documents\fCmW52LYr6aG4Bdvmraf4QEA.exe
  "C:\Users\Admin\Documents\fCmW52LYr6aG4Bdvmraf4QEA.exe"
  2⤵
  PID:3244
- C:\Users\Admin\Documents\4j0fI0iEGwZHL59qtNP9IHqd.exe
  "C:\Users\Admin\Documents\4j0fI0iEGwZHL59qtNP9IHqd.exe"
  2⤵
  PID:3220
- C:\Users\Admin\Documents\m2JMcaaGkm8Mw43683YotOzW.exe
  "C:\Users\Admin\Documents\m2JMcaaGkm8Mw43683YotOzW.exe"
  2⤵
  PID:3852

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "setup.exe" /f
1⤵
- Kills process with taskkill
PID:2312

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2800
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:2648

C:\Users\Admin\AppData\Local\Temp\is-HCFFV.tmp\setup_2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HCFFV.tmp\setup_2.tmp" /SL5="$201C2,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_2.exe" /SILENT
1⤵
PID:1752
- C:\Users\Admin\AppData\Local\Temp\is-8855T.tmp\postback.exe
  "C:\Users\Admin\AppData\Local\Temp\is-8855T.tmp\postback.exe" ss1
  2⤵
  PID:3024
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe ss1
    3⤵
    PID:740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/300-303-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/612-191-0x0000000003250000-0x0000000005A02000-memory.dmp

Filesize
39.7MB

Download
memory/612-194-0x0000000000400000-0x0000000002BB2000-memory.dmp

Filesize
39.7MB

Download
memory/812-176-0x000000001AF00000-0x000000001AF02000-memory.dmp

Filesize
8KB

Download
memory/812-141-0x0000000001350000-0x0000000001351000-memory.dmp

Filesize
4KB

Download
memory/812-149-0x00000000003C0000-0x00000000003D7000-memory.dmp

Filesize
92KB

Download
memory/920-174-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/940-316-0x000000001AF00000-0x000000001AF02000-memory.dmp

Filesize
8KB

Download
memory/960-152-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download
memory/960-175-0x000000001B3C0000-0x000000001B3C2000-memory.dmp

Filesize
8KB

Download
memory/1056-158-0x000000001B000000-0x000000001B002000-memory.dmp

Filesize
8KB

Download
memory/1056-169-0x0000000000440000-0x000000000044B000-memory.dmp

Filesize
44KB

Download
memory/1056-139-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/1128-84-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1128-96-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1128-94-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1128-83-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1128-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1128-99-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1128-86-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1128-102-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1128-87-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1128-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1576-190-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/1588-192-0x0000000004A90000-0x0000000004A91000-memory.dmp

Filesize
4KB

Download
memory/1588-193-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1588-195-0x0000000004A92000-0x0000000004A93000-memory.dmp

Filesize
4KB

Download
memory/1588-196-0x0000000004AD0000-0x0000000004AD1000-memory.dmp

Filesize
4KB

Download
memory/1652-60-0x0000000076641000-0x0000000076643000-memory.dmp

Filesize
8KB

Download
memory/1720-221-0x000000001B5A0000-0x000000001B5A2000-memory.dmp

Filesize
8KB

Download
memory/1720-184-0x0000000001200000-0x0000000001201000-memory.dmp

Filesize
4KB

Download
memory/1752-312-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1784-214-0x0000000003FB0000-0x00000000040EF000-memory.dmp

Filesize
1.2MB

Download
memory/1932-199-0x00000000010F0000-0x00000000010F1000-memory.dmp

Filesize
4KB

Download
memory/2148-206-0x0000000000AF0000-0x0000000000AF2000-memory.dmp

Filesize
8KB

Download
memory/2204-203-0x000000013F160000-0x000000013F161000-memory.dmp

Filesize
4KB

Download
memory/2204-321-0x000000001CAD0000-0x000000001CAD2000-memory.dmp

Filesize
8KB

Download
memory/2240-311-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/2248-207-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2248-212-0x0000000000150000-0x0000000000167000-memory.dmp

Filesize
92KB

Download
memory/2248-215-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download
memory/2296-213-0x000000001B0B0000-0x000000001B0B2000-memory.dmp

Filesize
8KB

Download
memory/2296-210-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2364-251-0x0000000000400000-0x000000000217A000-memory.dmp

Filesize
29.5MB

Download
memory/2364-239-0x0000000000240000-0x000000000026F000-memory.dmp

Filesize
188KB

Download
memory/2400-309-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2420-217-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2420-220-0x000000001AF10000-0x000000001AF12000-memory.dmp

Filesize
8KB

Download
memory/2420-219-0x00000000002C0000-0x00000000002FE000-memory.dmp

Filesize
248KB

Download
memory/2512-313-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/2552-247-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2552-226-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/2552-235-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2580-245-0x0000000000420000-0x000000000044E000-memory.dmp

Filesize
184KB

Download
memory/2580-237-0x0000000000E30000-0x0000000000E31000-memory.dmp

Filesize
4KB

Download
memory/2580-310-0x0000000004B30000-0x0000000004B31000-memory.dmp

Filesize
4KB

Download
memory/2636-241-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2644-315-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/2792-246-0x0000000001060000-0x0000000001061000-memory.dmp

Filesize
4KB

Download
memory/2792-259-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2868-299-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/3084-368-0x0000000002E50000-0x0000000002E51000-memory.dmp

Filesize
4KB

Download
memory/3136-352-0x000000001ABF0000-0x000000001ABF2000-memory.dmp

Filesize
8KB

Download
memory/3152-348-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/3152-353-0x0000000000400000-0x0000000002CBE000-memory.dmp

Filesize
40.7MB

Download
memory/3168-359-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/3200-365-0x0000000002820000-0x00000000045EA000-memory.dmp

Filesize
29.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads