arkei | c75b223b462ba88c62c1c8d848a845e7aeacc0ec0c96a7ecf1644e782accdd52

Resubmissions

26-09-2021 14:45

210926-r43blaehcn 10

26-09-2021 14:26

210926-rrve8aehh8 10

Analysis

max time kernel
1806s
max time network
1609s
platform
windows11_x64
resource
win11
submitted
26-09-2021 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dd4ba94c558b54ba1fe639566cbc368.exe
Size

237KB
MD5

3dd4ba94c558b54ba1fe639566cbc368
SHA1

8c44f1c918c3d2fd48694e8af653e473be3e02c1
SHA256

c75b223b462ba88c62c1c8d848a845e7aeacc0ec0c96a7ecf1644e782accdd52
SHA512

58e828507bd3be52ea340ed835c3dc06a655db0a067c746ef65e7382d2b09eb5e7d6847dc679b89539826b598749e60ddf62859e25930b8e586acc11228bb1fa

Score

10^/10

arkei raccoon redline smokeloader installszxc z0rm1onbuild backdoor discovery evasion infostealer spyware stealer suricata themida trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://naghenrietti1.top/

http://kimballiett2.top/

http://xadriettany3.top/

http://jebeccallis4.top/

http://nityanneron5.top/

http://umayaniela6.top/

http://lynettaram7.top/

http://sadineyalas8.top/

http://geenaldencia9.top/

http://aradysiusep10.top/

rc4.i32

Extracted

Family

redline

Botnet

installszxc

138.124.186.2:27999

Extracted

Family

redline

Botnet

z0rm1onbuild

45.156.21.209:56326

Signatures

Arkei
Arkei is an infostealer written in C++.
stealer arkei
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral4/files/0x0011000000007768-211.dat	family_redline
behavioral4/files/0x0011000000007768-212.dat	family_redline
behavioral4/memory/4088-222-0x00000000013E0000-0x00000000013FE000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader

Suspicious use of NtCreateProcessExOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2100 created 4688	2100	WerFault.exe	99
PID 1616 created 4740	1616	WerFault.exe	107
PID 1692 created 1468	1692	WerFault.exe	118
PID 2004 created 2608	2004	WerFault.exe	122
PID 1888 created 3080	1888	WerFault.exe	120

suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata: ET MALWARE Sharik/Smoke CnC Beacon 11
suricata
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata: ET MALWARE Win32.Raccoon Stealer CnC Activity (dependency download)
suricata
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata: ET MALWARE Win32.Raccoon Stealer Data Exfil Attempt
suricata
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata

Arkei Stealer Payload 1 IoCs

stealer

resource	yara_rule
behavioral4/memory/1012-286-0x0000000000400000-0x000000000044D000-memory.dmp	family_arkei

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
1668	D909.exe
2460	E157.exe
3716	D909.exe
4500	EDEB.exe
4088	F222.exe
4888	Stub.exe
4688	FC35.exe
2424	B69.exe
752	1722.exe
4740	1F51.exe
1012	28E7.exe
4836	31E1.exe
1468	SindonsWelfare_2021-09-26_15-02.exe
3080	SolanumsYoghurt_2021-09-26_14-52.exe
2608	fbf.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	E157.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1722.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1722.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	E157.exe

Loads dropped DLL 4 IoCs

pid	Process
2424	B69.exe
1012	28E7.exe
2424	B69.exe
2424	B69.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral4/files/0x0004000000000549-181.dat	themida
behavioral4/files/0x0004000000000549-182.dat	themida
behavioral4/memory/2460-187-0x0000000000D20000-0x0000000000D21000-memory.dmp	themida
behavioral4/files/0x0004000000027ba4-254.dat	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	E157.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	1722.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2460	E157.exe
752	1722.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4148 set thread context of 4808	4148	3dd4ba94c558b54ba1fe639566cbc368.exe	77
PID 1668 set thread context of 3716	1668	D909.exe	94

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2340	4688	WerFault.exe	99
1460	4740	WerFault.exe	107
5112	1468	WerFault.exe	118
2216	2608	WerFault.exe	122
1164	3080	WerFault.exe	120

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3dd4ba94c558b54ba1fe639566cbc368.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3dd4ba94c558b54ba1fe639566cbc368.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3dd4ba94c558b54ba1fe639566cbc368.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D909.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D909.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D909.exe

Checks processor information in registry 2 TTPs 37 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	28E7.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	28E7.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
2200	timeout.exe
768	timeout.exe

Enumerates system info in registry 2 TTPs 10 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5b934b42-522b-4c34-bbfe-37a3ef7b9c90}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{f8278c54-a712-415b-b593-b77a2be0dda9}\Instance\	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Process not Found

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4808	3dd4ba94c558b54ba1fe639566cbc368.exe
4808	3dd4ba94c558b54ba1fe639566cbc368.exe
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found
3232	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3232	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
4808	3dd4ba94c558b54ba1fe639566cbc368.exe
3716	D909.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeDebugPrivilege	4500	EDEB.exe
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeDebugPrivilege	4088	F222.exe
Token: 33	4088	F222.exe
Token: SeIncBasePriorityPrivilege	4088	F222.exe
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeDebugPrivilege	2460	E157.exe
Token: SeRestorePrivilege	2340	WerFault.exe
Token: SeBackupPrivilege	2340	WerFault.exe
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeDebugPrivilege	4888	Stub.exe
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeDebugPrivilege	752	1722.exe
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found
Token: SeCreatePagefilePrivilege	3232	Process not Found
Token: SeShutdownPrivilege	3232	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4148 wrote to memory of 4808	4148	3dd4ba94c558b54ba1fe639566cbc368.exe	77
PID 4148 wrote to memory of 4808	4148	3dd4ba94c558b54ba1fe639566cbc368.exe	77
PID 4148 wrote to memory of 4808	4148	3dd4ba94c558b54ba1fe639566cbc368.exe	77
PID 4148 wrote to memory of 4808	4148	3dd4ba94c558b54ba1fe639566cbc368.exe	77
PID 4148 wrote to memory of 4808	4148	3dd4ba94c558b54ba1fe639566cbc368.exe	77
PID 4148 wrote to memory of 4808	4148	3dd4ba94c558b54ba1fe639566cbc368.exe	77
PID 3232 wrote to memory of 1668	3232	Process not Found	91
PID 3232 wrote to memory of 1668	3232	Process not Found	91
PID 3232 wrote to memory of 1668	3232	Process not Found	91
PID 3232 wrote to memory of 2460	3232	Process not Found	92
PID 3232 wrote to memory of 2460	3232	Process not Found	92
PID 3232 wrote to memory of 2460	3232	Process not Found	92
PID 1668 wrote to memory of 3716	1668	D909.exe	94
PID 1668 wrote to memory of 3716	1668	D909.exe	94
PID 1668 wrote to memory of 3716	1668	D909.exe	94
PID 1668 wrote to memory of 3716	1668	D909.exe	94
PID 1668 wrote to memory of 3716	1668	D909.exe	94
PID 1668 wrote to memory of 3716	1668	D909.exe	94
PID 3232 wrote to memory of 4500	3232	Process not Found	95
PID 3232 wrote to memory of 4500	3232	Process not Found	95
PID 3232 wrote to memory of 4500	3232	Process not Found	95
PID 3232 wrote to memory of 4088	3232	Process not Found	96
PID 3232 wrote to memory of 4088	3232	Process not Found	96
PID 4500 wrote to memory of 4888	4500	EDEB.exe	97
PID 4500 wrote to memory of 4888	4500	EDEB.exe	97
PID 4500 wrote to memory of 4888	4500	EDEB.exe	97
PID 3232 wrote to memory of 4688	3232	Process not Found	99
PID 3232 wrote to memory of 4688	3232	Process not Found	99
PID 3232 wrote to memory of 4688	3232	Process not Found	99
PID 2100 wrote to memory of 4688	2100	WerFault.exe	99
PID 2100 wrote to memory of 4688	2100	WerFault.exe	99
PID 3232 wrote to memory of 2424	3232	Process not Found	103
PID 3232 wrote to memory of 2424	3232	Process not Found	103
PID 3232 wrote to memory of 2424	3232	Process not Found	103
PID 3232 wrote to memory of 752	3232	Process not Found	105
PID 3232 wrote to memory of 752	3232	Process not Found	105
PID 3232 wrote to memory of 752	3232	Process not Found	105
PID 3232 wrote to memory of 4740	3232	Process not Found	107
PID 3232 wrote to memory of 4740	3232	Process not Found	107
PID 3232 wrote to memory of 4740	3232	Process not Found	107
PID 3232 wrote to memory of 1012	3232	Process not Found	108
PID 3232 wrote to memory of 1012	3232	Process not Found	108
PID 3232 wrote to memory of 1012	3232	Process not Found	108
PID 3232 wrote to memory of 4836	3232	Process not Found	109
PID 3232 wrote to memory of 4836	3232	Process not Found	109
PID 1616 wrote to memory of 4740	1616	WerFault.exe	107
PID 1616 wrote to memory of 4740	1616	WerFault.exe	107
PID 1012 wrote to memory of 1408	1012	28E7.exe	112
PID 1012 wrote to memory of 1408	1012	28E7.exe	112
PID 1012 wrote to memory of 1408	1012	28E7.exe	112
PID 1408 wrote to memory of 768	1408	cmd.exe	114
PID 1408 wrote to memory of 768	1408	cmd.exe	114
PID 1408 wrote to memory of 768	1408	cmd.exe	114
PID 2424 wrote to memory of 828	2424	B69.exe	115
PID 2424 wrote to memory of 828	2424	B69.exe	115
PID 2424 wrote to memory of 828	2424	B69.exe	115
PID 828 wrote to memory of 2200	828	cmd.exe	117
PID 828 wrote to memory of 2200	828	cmd.exe	117
PID 828 wrote to memory of 2200	828	cmd.exe	117
PID 4836 wrote to memory of 1468	4836	31E1.exe	118
PID 4836 wrote to memory of 1468	4836	31E1.exe	118
PID 4836 wrote to memory of 1468	4836	31E1.exe	118
PID 4836 wrote to memory of 3080	4836	31E1.exe	120
PID 4836 wrote to memory of 3080	4836	31E1.exe	120

C:\Users\Admin\AppData\Local\Temp\3dd4ba94c558b54ba1fe639566cbc368.exe
"C:\Users\Admin\AppData\Local\Temp\3dd4ba94c558b54ba1fe639566cbc368.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4148
- C:\Users\Admin\AppData\Local\Temp\3dd4ba94c558b54ba1fe639566cbc368.exe
  "C:\Users\Admin\AppData\Local\Temp\3dd4ba94c558b54ba1fe639566cbc368.exe"
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:3892

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\D909.exe
C:\Users\Admin\AppData\Local\Temp\D909.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\AppData\Local\Temp\D909.exe
  C:\Users\Admin\AppData\Local\Temp\D909.exe
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:3716

C:\Users\Admin\AppData\Local\Temp\E157.exe
C:\Users\Admin\AppData\Local\Temp\E157.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Users\Admin\AppData\Local\Temp\EDEB.exe
C:\Users\Admin\AppData\Local\Temp\EDEB.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4500
- C:\ProgramData\Stub.exe
  "C:\ProgramData\Stub.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4888

C:\Users\Admin\AppData\Local\Temp\F222.exe
C:\Users\Admin\AppData\Local\Temp\F222.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Users\Admin\AppData\Local\Temp\FC35.exe
C:\Users\Admin\AppData\Local\Temp\FC35.exe
1⤵
- Executes dropped EXE
PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4688 -s 296
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4688 -ip 4688
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:2100

C:\Users\Admin\AppData\Local\Temp\B69.exe
C:\Users\Admin\AppData\Local\Temp\B69.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /C timeout /T 10 /NOBREAK > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\B69.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Windows\SysWOW64\timeout.exe
    timeout /T 10 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2200

C:\Users\Admin\AppData\Local\Temp\1722.exe
C:\Users\Admin\AppData\Local\Temp\1722.exe
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Users\Admin\AppData\Local\Temp\1F51.exe
C:\Users\Admin\AppData\Local\Temp\1F51.exe
1⤵
- Executes dropped EXE
PID:4740
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4740 -s 296
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  PID:1460

C:\Users\Admin\AppData\Local\Temp\28E7.exe
C:\Users\Admin\AppData\Local\Temp\28E7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\28E7.exe" & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:768

C:\Users\Admin\AppData\Local\Temp\31E1.exe
C:\Users\Admin\AppData\Local\Temp\31E1.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe
  "C:\Users\Admin\AppData\Local\Temp\SindonsWelfare_2021-09-26_15-02.exe"
  2⤵
  - Executes dropped EXE
  PID:1468
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 312
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5112
- C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe
  "C:\Users\Admin\AppData\Local\Temp\SolanumsYoghurt_2021-09-26_14-52.exe"
  2⤵
  - Executes dropped EXE
  PID:3080
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 256
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1164
- C:\Users\Admin\AppData\Local\Temp\fbf.exe
  "C:\Users\Admin\AppData\Local\Temp\fbf.exe"
  2⤵
  - Executes dropped EXE
  PID:2608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2608 -s 292
    3⤵
    - Program crash
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4740 -ip 4740
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1468 -ip 1468
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3080 -ip 3080
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2608 -ip 2608
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/752-273-0x0000000006190000-0x0000000006191000-memory.dmp

Filesize
4KB

Download
memory/1012-286-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1012-284-0x0000000002280000-0x00000000022AD000-memory.dmp

Filesize
180KB

Download
memory/1468-320-0x00000000021F0000-0x0000000002220000-memory.dmp

Filesize
192KB

Download
memory/2424-243-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/2424-242-0x00000000016A0000-0x00000000016A1000-memory.dmp

Filesize
4KB

Download
memory/2424-241-0x0000000001690000-0x0000000001691000-memory.dmp

Filesize
4KB

Download
memory/2460-191-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/2460-193-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/2460-187-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/2460-189-0x00000000061F0000-0x00000000061F1000-memory.dmp

Filesize
4KB

Download
memory/2460-190-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/2460-192-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/2460-194-0x0000000006810000-0x0000000006811000-memory.dmp

Filesize
4KB

Download
memory/2460-195-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/2460-196-0x0000000005DE0000-0x0000000005DE1000-memory.dmp

Filesize
4KB

Download
memory/2460-197-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/2460-237-0x00000000078B0000-0x00000000078B1000-memory.dmp

Filesize
4KB

Download
memory/2460-238-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/2460-239-0x0000000007A80000-0x0000000007A81000-memory.dmp

Filesize
4KB

Download
memory/2460-240-0x0000000008A90000-0x0000000008A91000-memory.dmp

Filesize
4KB

Download
memory/2608-322-0x00000000021D0000-0x000000000228C000-memory.dmp

Filesize
752KB

Download
memory/3080-321-0x00000000020A0000-0x00000000020D7000-memory.dmp

Filesize
220KB

Download
memory/3232-229-0x0000000004360000-0x0000000004376000-memory.dmp

Filesize
88KB

Download
memory/3232-149-0x0000000004AF0000-0x0000000004B06000-memory.dmp

Filesize
88KB

Download
memory/3232-155-0x0000000004A00000-0x0000000004A80000-memory.dmp

Filesize
512KB

Download
memory/3232-163-0x00000000076D0000-0x0000000007750000-memory.dmp

Filesize
512KB

Download
memory/3892-175-0x0000022D3DE80000-0x0000022D3DE84000-memory.dmp

Filesize
16KB

Download
memory/3892-150-0x0000022D3AF80000-0x0000022D3AF90000-memory.dmp

Filesize
64KB

Download
memory/3892-151-0x0000022D3B860000-0x0000022D3B870000-memory.dmp

Filesize
64KB

Download
memory/3892-152-0x0000022D3BBE0000-0x0000022D3BBE4000-memory.dmp

Filesize
16KB

Download
memory/3892-171-0x0000022D3E150000-0x0000022D3E154000-memory.dmp

Filesize
16KB

Download
memory/3892-172-0x0000022D3E110000-0x0000022D3E111000-memory.dmp

Filesize
4KB

Download
memory/3892-174-0x0000022D3DE80000-0x0000022D3DE81000-memory.dmp

Filesize
4KB

Download
memory/3892-176-0x0000022D3BB60000-0x0000022D3BB61000-memory.dmp

Filesize
4KB

Download
memory/4088-257-0x000000001B892000-0x000000001B894000-memory.dmp

Filesize
8KB

Download
memory/4088-226-0x0000000001550000-0x0000000001551000-memory.dmp

Filesize
4KB

Download
memory/4088-210-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4088-227-0x0000000002D60000-0x0000000002D61000-memory.dmp

Filesize
4KB

Download
memory/4088-223-0x000000001B890000-0x000000001B892000-memory.dmp

Filesize
8KB

Download
memory/4088-225-0x000000001C500000-0x000000001C501000-memory.dmp

Filesize
4KB

Download
memory/4088-274-0x000000001B894000-0x000000001B895000-memory.dmp

Filesize
4KB

Download
memory/4088-222-0x00000000013E0000-0x00000000013FE000-memory.dmp

Filesize
120KB

Download
memory/4148-148-0x0000000000670000-0x0000000000679000-memory.dmp

Filesize
36KB

Download
memory/4500-201-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/4500-205-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/4688-233-0x0000000002220000-0x00000000022B0000-memory.dmp

Filesize
576KB

Download
memory/4740-297-0x00000000020E0000-0x0000000002170000-memory.dmp

Filesize
576KB

Download
memory/4808-147-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4888-224-0x0000000004BD0000-0x00000000051E8000-memory.dmp

Filesize
6.1MB

Download
memory/4888-213-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download