redline | 7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed

Analysis

max time kernel
62s
max time network
74s
platform
windows10_x64
resource
win10-jp
submitted
16-09-2021 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_x86_x64_install.exe
Size

6.5MB
MD5

064f0d6900675bed580da1291a566cfa
SHA1

f81699a68c901d190842de735dbda28a3fb52292
SHA256

7ec88d4baa0a97362a026cf6e0f46422379a99be6d9bfe19034152f3d47cc0ed
SHA512

41dc5c444afd6b5dc0947cf9950acb5aa1081ee9921c748195325b5cfcb23532cea1802959baa59a0c41ed998ba20b509ec107da882d5d8b3bf0b1d17f892738

Score

10^/10

redline smokeloader socelars medianew aspackv2 backdoor infostealer stealer trojan vmprotect

Malware Config

Extracted

Family

redline

Botnet

medianew

91.121.67.60:62102

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral6/memory/3872-285-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral6/memory/3872-288-0x000000000041C5D6-mapping.dmp	family_redline
behavioral6/memory/4116-317-0x000000000041C5CA-mapping.dmp	family_redline
behavioral6/memory/4868-335-0x000000000041C5E2-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

resource	yara_rule
behavioral6/files/0x000400000001ab33-150.dat	family_socelars
behavioral6/files/0x000400000001ab33-186.dat	family_socelars

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral6/files/0x000400000001ab2b-124.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab2c-123.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab2e-128.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab2e-129.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab2c-126.dat	aspack_v212_v242
behavioral6/files/0x000400000001ab2b-125.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
3892	setup_installer.exe
4060	setup_install.exe
3728	Thu2026c04e7218e1.exe
980	Thu20f2cf5e0c.exe
1896	Thu20c467678e2c.exe
1936	Thu20a5f7ccaa78.exe
4732	Thu2094524d5e5b.exe
4784	Thu2090b5515d63b2.exe
1692	Thu203b503b429e68.exe
4720	Thu20dae7c52bc0856.exe
4856	Thu2025d6674aed72ba.exe
4864	Thu2026c04e7218e1.tmp
4924	Thu203cdb52ef3c6580d.exe
4836	Thu20bc9ea26f.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral6/files/0x000600000001ab49-142.dat	vmprotect
behavioral6/memory/4720-200-0x0000000140000000-0x0000000140650000-memory.dmp	vmprotect
behavioral6/files/0x000600000001ab49-187.dat	vmprotect

Loads dropped DLL 7 IoCs

pid	Process
4060	setup_install.exe
4060	setup_install.exe
4060	setup_install.exe
4060	setup_install.exe
4060	setup_install.exe
4060	setup_install.exe
4060	setup_install.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com
48	ipinfo.io
49	ipinfo.io

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 11 IoCs

pid	pid_target	Process	procid_target
5060	3856	WerFault.exe	111
1532	4856	WerFault.exe	100
5052	3856	WerFault.exe	111
2860	4856	WerFault.exe	100
4484	3856	WerFault.exe	111
4988	4856	WerFault.exe	100
556	3856	WerFault.exe	111
4832	4856	WerFault.exe	100
2700	3856	WerFault.exe	111
4624	4856	WerFault.exe	100
1792	3856	WerFault.exe	111

Kills process with taskkill 1 IoCs

evasion

pid	Process
4916	taskkill.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1692	Thu203b503b429e68.exe
Token: SeAssignPrimaryTokenPrivilege	1692	Thu203b503b429e68.exe
Token: SeLockMemoryPrivilege	1692	Thu203b503b429e68.exe
Token: SeIncreaseQuotaPrivilege	1692	Thu203b503b429e68.exe
Token: SeMachineAccountPrivilege	1692	Thu203b503b429e68.exe
Token: SeTcbPrivilege	1692	Thu203b503b429e68.exe
Token: SeSecurityPrivilege	1692	Thu203b503b429e68.exe
Token: SeTakeOwnershipPrivilege	1692	Thu203b503b429e68.exe
Token: SeLoadDriverPrivilege	1692	Thu203b503b429e68.exe
Token: SeSystemProfilePrivilege	1692	Thu203b503b429e68.exe
Token: SeSystemtimePrivilege	1692	Thu203b503b429e68.exe
Token: SeProfSingleProcessPrivilege	1692	Thu203b503b429e68.exe
Token: SeIncBasePriorityPrivilege	1692	Thu203b503b429e68.exe
Token: SeCreatePagefilePrivilege	1692	Thu203b503b429e68.exe
Token: SeCreatePermanentPrivilege	1692	Thu203b503b429e68.exe
Token: SeBackupPrivilege	1692	Thu203b503b429e68.exe
Token: SeRestorePrivilege	1692	Thu203b503b429e68.exe
Token: SeShutdownPrivilege	1692	Thu203b503b429e68.exe
Token: SeDebugPrivilege	1692	Thu203b503b429e68.exe
Token: SeAuditPrivilege	1692	Thu203b503b429e68.exe
Token: SeSystemEnvironmentPrivilege	1692	Thu203b503b429e68.exe
Token: SeChangeNotifyPrivilege	1692	Thu203b503b429e68.exe
Token: SeRemoteShutdownPrivilege	1692	Thu203b503b429e68.exe
Token: SeUndockPrivilege	1692	Thu203b503b429e68.exe
Token: SeSyncAgentPrivilege	1692	Thu203b503b429e68.exe
Token: SeEnableDelegationPrivilege	1692	Thu203b503b429e68.exe
Token: SeManageVolumePrivilege	1692	Thu203b503b429e68.exe
Token: SeImpersonatePrivilege	1692	Thu203b503b429e68.exe
Token: SeCreateGlobalPrivilege	1692	Thu203b503b429e68.exe
Token: 31	1692	Thu203b503b429e68.exe
Token: 32	1692	Thu203b503b429e68.exe
Token: 33	1692	Thu203b503b429e68.exe
Token: 34	1692	Thu203b503b429e68.exe
Token: 35	1692	Thu203b503b429e68.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 3892	3924	setup_x86_x64_install.exe	76
PID 3924 wrote to memory of 3892	3924	setup_x86_x64_install.exe	76
PID 3924 wrote to memory of 3892	3924	setup_x86_x64_install.exe	76
PID 3892 wrote to memory of 4060	3892	setup_installer.exe	77
PID 3892 wrote to memory of 4060	3892	setup_installer.exe	77
PID 3892 wrote to memory of 4060	3892	setup_installer.exe	77
PID 4060 wrote to memory of 4492	4060	setup_install.exe	80
PID 4060 wrote to memory of 4492	4060	setup_install.exe	80
PID 4060 wrote to memory of 4492	4060	setup_install.exe	80
PID 4060 wrote to memory of 3052	4060	setup_install.exe	81
PID 4060 wrote to memory of 3052	4060	setup_install.exe	81
PID 4060 wrote to memory of 3052	4060	setup_install.exe	81
PID 4060 wrote to memory of 732	4060	setup_install.exe	84
PID 4060 wrote to memory of 732	4060	setup_install.exe	84
PID 4060 wrote to memory of 732	4060	setup_install.exe	84
PID 4060 wrote to memory of 768	4060	setup_install.exe	83
PID 4060 wrote to memory of 768	4060	setup_install.exe	83
PID 4060 wrote to memory of 768	4060	setup_install.exe	83
PID 4060 wrote to memory of 4528	4060	setup_install.exe	82
PID 4060 wrote to memory of 4528	4060	setup_install.exe	82
PID 4060 wrote to memory of 4528	4060	setup_install.exe	82
PID 4060 wrote to memory of 4560	4060	setup_install.exe	85
PID 4060 wrote to memory of 4560	4060	setup_install.exe	85
PID 4060 wrote to memory of 4560	4060	setup_install.exe	85
PID 4060 wrote to memory of 2280	4060	setup_install.exe	86
PID 4060 wrote to memory of 2280	4060	setup_install.exe	86
PID 4060 wrote to memory of 2280	4060	setup_install.exe	86
PID 4060 wrote to memory of 4440	4060	setup_install.exe	87
PID 4060 wrote to memory of 4440	4060	setup_install.exe	87
PID 4060 wrote to memory of 4440	4060	setup_install.exe	87
PID 4060 wrote to memory of 3208	4060	setup_install.exe	106
PID 4060 wrote to memory of 3208	4060	setup_install.exe	106
PID 4060 wrote to memory of 3208	4060	setup_install.exe	106
PID 4492 wrote to memory of 3200	4492	cmd.exe	105
PID 4492 wrote to memory of 3200	4492	cmd.exe	105
PID 4492 wrote to memory of 3200	4492	cmd.exe	105
PID 4560 wrote to memory of 3728	4560	cmd.exe	104
PID 4560 wrote to memory of 3728	4560	cmd.exe	104
PID 4560 wrote to memory of 3728	4560	cmd.exe	104
PID 4060 wrote to memory of 3804	4060	setup_install.exe	88
PID 4060 wrote to memory of 3804	4060	setup_install.exe	88
PID 4060 wrote to memory of 3804	4060	setup_install.exe	88
PID 4060 wrote to memory of 3220	4060	setup_install.exe	89
PID 4060 wrote to memory of 3220	4060	setup_install.exe	89
PID 4060 wrote to memory of 3220	4060	setup_install.exe	89
PID 4060 wrote to memory of 4228	4060	setup_install.exe	93
PID 4060 wrote to memory of 4228	4060	setup_install.exe	93
PID 4060 wrote to memory of 4228	4060	setup_install.exe	93
PID 4060 wrote to memory of 1012	4060	setup_install.exe	92
PID 4060 wrote to memory of 1012	4060	setup_install.exe	92
PID 4060 wrote to memory of 1012	4060	setup_install.exe	92
PID 732 wrote to memory of 980	732	cmd.exe	90
PID 732 wrote to memory of 980	732	cmd.exe	90
PID 3052 wrote to memory of 1896	3052	cmd.exe	91
PID 3052 wrote to memory of 1896	3052	cmd.exe	91
PID 3052 wrote to memory of 1896	3052	cmd.exe	91
PID 4528 wrote to memory of 1936	4528	cmd.exe	103
PID 4528 wrote to memory of 1936	4528	cmd.exe	103
PID 4528 wrote to memory of 1936	4528	cmd.exe	103
PID 4440 wrote to memory of 4732	4440	cmd.exe	95
PID 4440 wrote to memory of 4732	4440	cmd.exe	95
PID 4440 wrote to memory of 4732	4440	cmd.exe	95
PID 3208 wrote to memory of 4784	3208	cmd.exe	94
PID 3208 wrote to memory of 4784	3208	cmd.exe	94

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3892
- - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4492
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:3200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu20c467678e2c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu20c467678e2c.exe
        
        Thu20c467678e2c.exe
        5⤵
        Executes dropped EXE
        
        PID:1896
      - C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome 5.exe"
        6⤵
        
        PID:1964
      - C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe
        
        "C:\Users\Admin\AppData\Local\Temp\PublicDwlBrowser1100.exe"
        6⤵
        
        PID:2408
        
        C:\ProgramData\2469306.exe
        
        "C:\ProgramData\2469306.exe"
        7⤵
        
        PID:4644
        
        C:\ProgramData\5954251.exe
        
        "C:\ProgramData\5954251.exe"
        7⤵
        
        PID:3812
      - C:\Users\Admin\AppData\Local\Temp\2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2.exe"
        6⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        7⤵
        
        PID:3428
      - C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe
        
        "C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"
        6⤵
        
        PID:5020
      - C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        6⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 812
        7⤵
        Program crash
        
        PID:5060
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 836
        7⤵
        Program crash
        
        PID:5052
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 892
        7⤵
        Program crash
        
        PID:4484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 972
        7⤵
        Program crash
        
        PID:556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1032
        7⤵
        Program crash
        
        PID:2700
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 1100
        7⤵
        Program crash
        
        PID:1792
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu20a5f7ccaa78.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4528
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu20a5f7ccaa78.exe
        
        Thu20a5f7ccaa78.exe
        5⤵
        Executes dropped EXE
        
        PID:1936
      - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu20a5f7ccaa78.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu20a5f7ccaa78.exe
        6⤵
        
        PID:4976
      - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu20a5f7ccaa78.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu20a5f7ccaa78.exe
        6⤵
        
        PID:4116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu20dae7c52bc0856.exe
      4⤵
      PID:768
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu20dae7c52bc0856.exe
        
        Thu20dae7c52bc0856.exe
        5⤵
        Executes dropped EXE
        
        PID:4720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu20f2cf5e0c.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:732
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu20f2cf5e0c.exe
        
        Thu20f2cf5e0c.exe
        5⤵
        Executes dropped EXE
        
        PID:980
      - C:\Users\Admin\AppData\Roaming\8869967.scr
        
        "C:\Users\Admin\AppData\Roaming\8869967.scr" /S
        6⤵
        
        PID:764
      - C:\Users\Admin\AppData\Roaming\2130112.scr
        
        "C:\Users\Admin\AppData\Roaming\2130112.scr" /S
        6⤵
        
        PID:5324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu2026c04e7218e1.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu2026c04e7218e1.exe
        
        Thu2026c04e7218e1.exe
        5⤵
        Executes dropped EXE
        
        PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu203b503b429e68.exe
      4⤵
      PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu203b503b429e68.exe
        
        Thu203b503b429e68.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:696
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu2094524d5e5b.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu2094524d5e5b.exe
        
        Thu2094524d5e5b.exe
        5⤵
        Executes dropped EXE
        
        PID:4732
      - C:\Users\Admin\Documents\k2tRQjasuK_JOfy2DPvUHz5W.exe
        
        "C:\Users\Admin\Documents\k2tRQjasuK_JOfy2DPvUHz5W.exe"
        6⤵
        
        PID:2192
      - C:\Users\Admin\Documents\ioj48vGJc43djGZJWSJx3y3Z.exe
        
        "C:\Users\Admin\Documents\ioj48vGJc43djGZJWSJx3y3Z.exe"
        6⤵
        
        PID:5228
      - C:\Users\Admin\Documents\8pT4OHr6pmoXgxfuleUHf8iP.exe
        
        "C:\Users\Admin\Documents\8pT4OHr6pmoXgxfuleUHf8iP.exe"
        6⤵
        
        PID:5208
      - C:\Users\Admin\Documents\qzoy6JLuYndbjjfnc9WE9JPh.exe
        
        "C:\Users\Admin\Documents\qzoy6JLuYndbjjfnc9WE9JPh.exe"
        6⤵
        
        PID:5192
      - C:\Users\Admin\Documents\LayULUtmqznS6v9DcYnQhkSu.exe
        
        "C:\Users\Admin\Documents\LayULUtmqznS6v9DcYnQhkSu.exe"
        6⤵
        
        PID:5168
      - C:\Users\Admin\Documents\Mrfuf0tnvkW2ZVC62kptRxl3.exe
        
        "C:\Users\Admin\Documents\Mrfuf0tnvkW2ZVC62kptRxl3.exe"
        6⤵
        
        PID:5312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu2025d6674aed72ba.exe /mixone
      4⤵
      PID:3804
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu2025d6674aed72ba.exe
        
        Thu2025d6674aed72ba.exe /mixone
        5⤵
        Executes dropped EXE
        
        PID:4856
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 656
        6⤵
        Program crash
        
        PID:1532
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 672
        6⤵
        Program crash
        
        PID:2860
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 676
        6⤵
        Program crash
        
        PID:4988
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 728
        6⤵
        Program crash
        
        PID:4832
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 880
        6⤵
        Program crash
        
        PID:4624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu20bc9ea26f.exe
      4⤵
      PID:3220
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu20bc9ea26f.exe
        
        Thu20bc9ea26f.exe
        5⤵
        Executes dropped EXE
        
        PID:4836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu203cdb52ef3c6580d.exe
      4⤵
      PID:1012
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu203cdb52ef3c6580d.exe
        
        Thu203cdb52ef3c6580d.exe
        5⤵
        Executes dropped EXE
        
        PID:4924
      - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu203cdb52ef3c6580d.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu203cdb52ef3c6580d.exe
        6⤵
        
        PID:3872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu20fdd9ac35a68.exe
      4⤵
      PID:4228
    - - C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu20fdd9ac35a68.exe
        
        Thu20fdd9ac35a68.exe
        5⤵
        
        PID:584
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu2090b5515d63b2.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3208

C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu2090b5515d63b2.exe
Thu2090b5515d63b2.exe
1⤵
- Executes dropped EXE
PID:4784
- C:\Users\Admin\AppData\Local\Temp\tmp5ABD_tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp5ABD_tmp.exe"
  2⤵
  PID:1564
- - C:\Users\Admin\AppData\Local\Temp\tmp5ABD_tmp.exe
    C:\Users\Admin\AppData\Local\Temp\tmp5ABD_tmp.exe
    3⤵
    PID:4868

C:\Users\Admin\AppData\Local\Temp\is-AFOC6.tmp\Thu2026c04e7218e1.tmp
"C:\Users\Admin\AppData\Local\Temp\is-AFOC6.tmp\Thu2026c04e7218e1.tmp" /SL5="$6007E,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zS43FA3871\Thu2026c04e7218e1.exe"
1⤵
- Executes dropped EXE
PID:4864
- C:\Users\Admin\AppData\Local\Temp\is-4HK31.tmp\___YHDG34.exe
  "C:\Users\Admin\AppData\Local\Temp\is-4HK31.tmp\___YHDG34.exe" /S /UID=burnerch2
  2⤵
  PID:320
- - C:\Program Files\MSBuild\JUCHKWOVVI\ultramediaburner.exe
    "C:\Program Files\MSBuild\JUCHKWOVVI\ultramediaburner.exe" /VERYSILENT
    3⤵
    PID:1532
- - C:\Users\Admin\AppData\Local\Temp\22-d9eef-131-236a7-639337ad5e2d7\Vaqynaepadae.exe
    "C:\Users\Admin\AppData\Local\Temp\22-d9eef-131-236a7-639337ad5e2d7\Vaqynaepadae.exe"
    3⤵
    PID:5180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/320-278-0x00000000024A0000-0x00000000024A2000-memory.dmp

Filesize
8KB

Download
memory/764-269-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/764-277-0x0000000002F50000-0x0000000002F52000-memory.dmp

Filesize
8KB

Download
memory/764-267-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/980-270-0x000000001B3C0000-0x000000001B3C1000-memory.dmp

Filesize
4KB

Download
memory/980-210-0x000000001B270000-0x000000001B272000-memory.dmp

Filesize
8KB

Download
memory/980-178-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1564-309-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/1564-318-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/1896-203-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1936-252-0x0000000004D60000-0x0000000004D61000-memory.dmp

Filesize
4KB

Download
memory/1936-202-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1964-224-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2408-248-0x000000001B4E0000-0x000000001B4E2000-memory.dmp

Filesize
8KB

Download
memory/2408-230-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2704-262-0x0000000002690000-0x0000000002692000-memory.dmp

Filesize
8KB

Download
memory/2704-239-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/3060-306-0x0000000000E90000-0x0000000000EA5000-memory.dmp

Filesize
84KB

Download
memory/3200-254-0x0000000006E50000-0x0000000006E51000-memory.dmp

Filesize
4KB

Download
memory/3200-209-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/3200-244-0x0000000007760000-0x0000000007761000-memory.dmp

Filesize
4KB

Download
memory/3200-227-0x00000000074F0000-0x00000000074F1000-memory.dmp

Filesize
4KB

Download
memory/3200-242-0x0000000006DF0000-0x0000000006DF1000-memory.dmp

Filesize
4KB

Download
memory/3200-213-0x0000000006882000-0x0000000006883000-memory.dmp

Filesize
4KB

Download
memory/3200-211-0x0000000006880000-0x0000000006881000-memory.dmp

Filesize
4KB

Download
memory/3200-387-0x0000000006883000-0x0000000006884000-memory.dmp

Filesize
4KB

Download
memory/3200-249-0x00000000078D0000-0x00000000078D1000-memory.dmp

Filesize
4KB

Download
memory/3200-366-0x000000007FBB0000-0x000000007FBB1000-memory.dmp

Filesize
4KB

Download
memory/3200-272-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/3200-247-0x0000000007590000-0x0000000007591000-memory.dmp

Filesize
4KB

Download
memory/3200-282-0x00000000080B0000-0x00000000080B1000-memory.dmp

Filesize
4KB

Download
memory/3200-280-0x0000000006EA0000-0x0000000006EA1000-memory.dmp

Filesize
4KB

Download
memory/3200-205-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/3428-390-0x0000000001710000-0x000000000202E000-memory.dmp

Filesize
9.1MB

Download
memory/3428-392-0x0000000000400000-0x0000000000D39000-memory.dmp

Filesize
9.2MB

Download
memory/3728-195-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/3812-349-0x0000000076FA0000-0x000000007712E000-memory.dmp

Filesize
1.6MB

Download
memory/3812-368-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/3856-293-0x0000000000400000-0x0000000002B5D000-memory.dmp

Filesize
39.4MB

Download
memory/3856-279-0x00000000001D0000-0x00000000001FF000-memory.dmp

Filesize
188KB

Download
memory/3872-285-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3872-303-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3872-310-0x00000000051F0000-0x00000000057F6000-memory.dmp

Filesize
6.0MB

Download
memory/3872-300-0x0000000005280000-0x0000000005281000-memory.dmp

Filesize
4KB

Download
memory/3872-297-0x0000000005800000-0x0000000005801000-memory.dmp

Filesize
4KB

Download
memory/3872-305-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/4060-152-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4060-134-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4060-133-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4060-148-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4060-135-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4060-149-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4060-153-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4116-329-0x0000000004D00000-0x0000000005306000-memory.dmp

Filesize
6.0MB

Download
memory/4644-307-0x000000001B970000-0x000000001B972000-memory.dmp

Filesize
8KB

Download
memory/4644-286-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/4644-299-0x0000000001210000-0x0000000001211000-memory.dmp

Filesize
4KB

Download
memory/4720-200-0x0000000140000000-0x0000000140650000-memory.dmp

Filesize
6.3MB

Download
memory/4732-332-0x0000000003A70000-0x0000000003BB0000-memory.dmp

Filesize
1.2MB

Download
memory/4784-212-0x0000017961D40000-0x0000017961D42000-memory.dmp

Filesize
8KB

Download
memory/4784-246-0x0000017961D44000-0x0000017961D45000-memory.dmp

Filesize
4KB

Download
memory/4784-191-0x0000017947410000-0x0000017947411000-memory.dmp

Filesize
4KB

Download
memory/4784-231-0x0000017964B90000-0x0000017964C0E000-memory.dmp

Filesize
504KB

Download
memory/4784-243-0x0000017961D42000-0x0000017961D44000-memory.dmp

Filesize
8KB

Download
memory/4784-215-0x0000017961D50000-0x0000017961D51000-memory.dmp

Filesize
4KB

Download
memory/4784-259-0x0000017961D45000-0x0000017961D47000-memory.dmp

Filesize
8KB

Download
memory/4784-208-0x0000017947880000-0x000001794788B000-memory.dmp

Filesize
44KB

Download
memory/4836-255-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/4836-257-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/4856-253-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4856-240-0x0000000000600000-0x0000000000648000-memory.dmp

Filesize
288KB

Download
memory/4864-214-0x0000000000520000-0x00000000005CE000-memory.dmp

Filesize
696KB

Download
memory/4868-352-0x0000000005610000-0x0000000005C16000-memory.dmp

Filesize
6.0MB

Download
memory/4924-219-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/4924-234-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4924-199-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/4924-217-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/4924-236-0x0000000004A70000-0x0000000004AE6000-memory.dmp

Filesize
472KB

Download
memory/5020-276-0x0000000004AE0000-0x0000000004AE1000-memory.dmp

Filesize
4KB

Download
memory/5020-261-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads