redline | 071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9

Resubmissions

28-09-2021 20:51

210928-zm5pdsdae8 10

28-09-2021 20:22

210928-y5kaqsdaa9 10

Analysis

max time kernel
1472s
max time network
1788s
platform
windows7_x64
resource
win7-de-20210920
submitted
28-09-2021 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
Size

3.9MB
MD5

1be0d2741eaac6804e24a7586b1086b0
SHA1

cdb330156b2063c6f259cb10a787463756798f7a
SHA256

071f6bd61aef9f209be1bfb16ef1fb14bd44804fcab511b129deeb7822948ef9
SHA512

cc9352b0ace0a51cac07069adf33d98e548e6726e71bf4582dcb15c3d7b0a7806765ffc57f95511f1aeca798d7fbf44c08bc5ebe7bc13626b8b7bcd0df872f85

Score

10^/10

redline smokeloader vidar 706 pab4 aspackv2 backdoor discovery infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

vidar

Version

40.1

Botnet

706

https://eduarroma.tumblr.com/

Attributes

profile_id
706

Extracted

Family

smokeloader

Version

2020

http://aucmoney.com/upload/

http://thegymmum.com/upload/

http://atvcampingtrips.com/upload/

http://kuapakualaman.com/upload/

http://renatazarazua.com/upload/

http://nasufmutlu.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

pab4

185.215.113.15:61506

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral3/memory/1800-199-0x00000000003E0000-0x00000000003FC000-memory.dmp	family_redline
behavioral3/memory/1800-204-0x0000000004910000-0x000000000492A000-memory.dmp	family_redline
behavioral3/memory/1028-211-0x0000000000570000-0x00000000005D0000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 2 IoCs

stealer

resource	yara_rule
behavioral3/memory/1596-173-0x00000000029A0000-0x0000000002A3D000-memory.dmp	family_vidar
behavioral3/memory/1596-177-0x0000000000400000-0x0000000002403000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral3/files/0x00050000000130fe-67.dat	aspack_v212_v242
behavioral3/files/0x00050000000130fe-68.dat	aspack_v212_v242
behavioral3/files/0x00060000000126a2-64.dat	aspack_v212_v242
behavioral3/files/0x00060000000126a2-63.dat	aspack_v212_v242
behavioral3/files/0x00050000000130ab-62.dat	aspack_v212_v242
behavioral3/files/0x00050000000130ab-61.dat	aspack_v212_v242

Executes dropped EXE 15 IoCs

pid	Process
1744	setup_install.exe
1596	Thu02966ca5c58f270.exe
1984	Thu02483b39590da5492.exe
1088	Thu0247e977c7950492a.exe
1800	Thu02588bdad8e7.exe
1892	Thu0299d0d70a4d322.exe
1740	Thu02f60acc90a3.exe
1636	Thu02c015332704.exe
804	Thu02bfe1521bcc038.exe
1768	Thu0247e977c7950492a.exe
1104	Riconobbe.exe.com
1864	Riconobbe.exe.com
560	Thu02d385ff55.exe
556	iafbrvs
1848	iafbrvs

Loads dropped DLL 43 IoCs

pid	Process
1728	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
1728	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
1728	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
1744	setup_install.exe
1744	setup_install.exe
1744	setup_install.exe
1744	setup_install.exe
1744	setup_install.exe
1744	setup_install.exe
1744	setup_install.exe
1744	setup_install.exe
560	cmd.exe
1040	cmd.exe
1628	cmd.exe
1040	cmd.exe
1628	cmd.exe
1968	cmd.exe
1968	cmd.exe
1124	cmd.exe
1124	cmd.exe
1596	Thu02966ca5c58f270.exe
1596	Thu02966ca5c58f270.exe
2012	cmd.exe
1088	Thu0247e977c7950492a.exe
1088	Thu0247e977c7950492a.exe
1800	Thu02588bdad8e7.exe
1800	Thu02588bdad8e7.exe
1892	Thu0299d0d70a4d322.exe
1892	Thu0299d0d70a4d322.exe
1812	cmd.exe
2044	cmd.exe
1088	Thu0247e977c7950492a.exe
804	Thu02bfe1521bcc038.exe
804	Thu02bfe1521bcc038.exe
1768	Thu0247e977c7950492a.exe
1768	Thu0247e977c7950492a.exe
524	cmd.exe
1104	Riconobbe.exe.com
1220	cmd.exe
1028	WerFault.exe
1028	WerFault.exe
1028	WerFault.exe
1028	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	Thu02bfe1521bcc038.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Thu02bfe1521bcc038.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1028	1596	WerFault.exe	45

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iafbrvs
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iafbrvs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iafbrvs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iafbrvs
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iafbrvs
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu0299d0d70a4d322.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	iafbrvs

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Riconobbe.exe.com
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Riconobbe.exe.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1328	timeout.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu02f60acc90a3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu02f60acc90a3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu02f60acc90a3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu02f60acc90a3.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1272	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1892	Thu0299d0d70a4d322.exe
1892	Thu0299d0d70a4d322.exe
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
316	powershell.exe
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1028	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1228	Process not Found
1028	WerFault.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1892	Thu0299d0d70a4d322.exe
556	iafbrvs
1848	iafbrvs

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1636	Thu02c015332704.exe
Token: SeDebugPrivilege	1740	Thu02f60acc90a3.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	1800	Thu02588bdad8e7.exe
Token: SeDebugPrivilege	1028	WerFault.exe
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found

Suspicious use of FindShellTrayWindow 12 IoCs

pid	Process
1104	Riconobbe.exe.com
1104	Riconobbe.exe.com
1104	Riconobbe.exe.com
1864	Riconobbe.exe.com
1864	Riconobbe.exe.com
1864	Riconobbe.exe.com
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1864	Riconobbe.exe.com
1864	Riconobbe.exe.com

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
1104	Riconobbe.exe.com
1104	Riconobbe.exe.com
1104	Riconobbe.exe.com
1864	Riconobbe.exe.com
1864	Riconobbe.exe.com
1864	Riconobbe.exe.com
1228	Process not Found
1228	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1744	1728	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1728 wrote to memory of 1744	1728	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1728 wrote to memory of 1744	1728	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1728 wrote to memory of 1744	1728	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1728 wrote to memory of 1744	1728	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1728 wrote to memory of 1744	1728	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1728 wrote to memory of 1744	1728	071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe	28
PID 1744 wrote to memory of 556	1744	setup_install.exe	30
PID 1744 wrote to memory of 556	1744	setup_install.exe	30
PID 1744 wrote to memory of 556	1744	setup_install.exe	30
PID 1744 wrote to memory of 556	1744	setup_install.exe	30
PID 1744 wrote to memory of 556	1744	setup_install.exe	30
PID 1744 wrote to memory of 556	1744	setup_install.exe	30
PID 1744 wrote to memory of 556	1744	setup_install.exe	30
PID 1744 wrote to memory of 1040	1744	setup_install.exe	55
PID 1744 wrote to memory of 1040	1744	setup_install.exe	55
PID 1744 wrote to memory of 1040	1744	setup_install.exe	55
PID 1744 wrote to memory of 1040	1744	setup_install.exe	55
PID 1744 wrote to memory of 1040	1744	setup_install.exe	55
PID 1744 wrote to memory of 1040	1744	setup_install.exe	55
PID 1744 wrote to memory of 1040	1744	setup_install.exe	55
PID 1744 wrote to memory of 1124	1744	setup_install.exe	54
PID 1744 wrote to memory of 1124	1744	setup_install.exe	54
PID 1744 wrote to memory of 1124	1744	setup_install.exe	54
PID 1744 wrote to memory of 1124	1744	setup_install.exe	54
PID 1744 wrote to memory of 1124	1744	setup_install.exe	54
PID 1744 wrote to memory of 1124	1744	setup_install.exe	54
PID 1744 wrote to memory of 1124	1744	setup_install.exe	54
PID 1744 wrote to memory of 560	1744	setup_install.exe	53
PID 1744 wrote to memory of 560	1744	setup_install.exe	53
PID 1744 wrote to memory of 560	1744	setup_install.exe	53
PID 1744 wrote to memory of 560	1744	setup_install.exe	53
PID 1744 wrote to memory of 560	1744	setup_install.exe	53
PID 1744 wrote to memory of 560	1744	setup_install.exe	53
PID 1744 wrote to memory of 560	1744	setup_install.exe	53
PID 1744 wrote to memory of 1628	1744	setup_install.exe	52
PID 1744 wrote to memory of 1628	1744	setup_install.exe	52
PID 1744 wrote to memory of 1628	1744	setup_install.exe	52
PID 1744 wrote to memory of 1628	1744	setup_install.exe	52
PID 1744 wrote to memory of 1628	1744	setup_install.exe	52
PID 1744 wrote to memory of 1628	1744	setup_install.exe	52
PID 1744 wrote to memory of 1628	1744	setup_install.exe	52
PID 1744 wrote to memory of 1968	1744	setup_install.exe	51
PID 1744 wrote to memory of 1968	1744	setup_install.exe	51
PID 1744 wrote to memory of 1968	1744	setup_install.exe	51
PID 1744 wrote to memory of 1968	1744	setup_install.exe	51
PID 1744 wrote to memory of 1968	1744	setup_install.exe	51
PID 1744 wrote to memory of 1968	1744	setup_install.exe	51
PID 1744 wrote to memory of 1968	1744	setup_install.exe	51
PID 1744 wrote to memory of 1220	1744	setup_install.exe	31
PID 1744 wrote to memory of 1220	1744	setup_install.exe	31
PID 1744 wrote to memory of 1220	1744	setup_install.exe	31
PID 1744 wrote to memory of 1220	1744	setup_install.exe	31
PID 1744 wrote to memory of 1220	1744	setup_install.exe	31
PID 1744 wrote to memory of 1220	1744	setup_install.exe	31
PID 1744 wrote to memory of 1220	1744	setup_install.exe	31
PID 1744 wrote to memory of 2012	1744	setup_install.exe	49
PID 1744 wrote to memory of 2012	1744	setup_install.exe	49
PID 1744 wrote to memory of 2012	1744	setup_install.exe	49
PID 1744 wrote to memory of 2012	1744	setup_install.exe	49
PID 1744 wrote to memory of 2012	1744	setup_install.exe	49
PID 1744 wrote to memory of 2012	1744	setup_install.exe	49
PID 1744 wrote to memory of 2012	1744	setup_install.exe	49
PID 1744 wrote to memory of 2044	1744	setup_install.exe	48

C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe
"C:\Users\Admin\AppData\Local\Temp\071F6BD61AEF9F209BE1BFB16EF1FB14BD44804FCAB51.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02d385ff55.exe
    3⤵
    - Loads dropped DLL
    PID:1220
  - - C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu02d385ff55.exe
      Thu02d385ff55.exe
      4⤵
      Executes dropped EXE
      PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02c015332704.exe
    3⤵
    - Loads dropped DLL
    PID:1812
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02bfe1521bcc038.exe
    3⤵
    - Loads dropped DLL
    PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02f60acc90a3.exe
    3⤵
    - Loads dropped DLL
    PID:2012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02588bdad8e7.exe
    3⤵
    - Loads dropped DLL
    PID:1968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02966ca5c58f270.exe
    3⤵
    - Loads dropped DLL
    PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu02483b39590da5492.exe
    3⤵
    - Loads dropped DLL
    PID:560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu0299d0d70a4d322.exe
    3⤵
    - Loads dropped DLL
    PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Thu0247e977c7950492a.exe
    3⤵
    - Loads dropped DLL
    PID:1040

C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu0299d0d70a4d322.exe
Thu0299d0d70a4d322.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1892

C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu02bfe1521bcc038.exe
Thu02bfe1521bcc038.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:804
- C:\Windows\SysWOW64\dllhost.exe
  dllhost.exe
  2⤵
  PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Del.doc
  2⤵
  PID:1680
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    PID:524
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^NZrkFJTgsCdMvCokxiUUxUBYmGUZCyshQzrAfUxHKQBByATJNifzJsTTnyLZOTMjkrVrmIWmMjlEaZSZNkkcPXDmmpwppcSQtfd$" Una.doc
      4⤵
      PID:888
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com
      Riconobbe.exe.com H
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1104
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com H
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\GpkcFOVZR & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Riconobbe.exe.com"
        6⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:1328
  - - C:\Windows\SysWOW64\PING.EXE
      ping JZCKHXIN -n 30
      4⤵
      Runs ping.exe
      PID:1272

C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu0247e977c7950492a.exe
"C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu0247e977c7950492a.exe" -a
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768

C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu02c015332704.exe
Thu02c015332704.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu02f60acc90a3.exe
Thu02f60acc90a3.exe
1⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu02588bdad8e7.exe
Thu02588bdad8e7.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu02966ca5c58f270.exe
Thu02966ca5c58f270.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 940
  2⤵
  - Loads dropped DLL
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:1028

C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu0247e977c7950492a.exe
Thu0247e977c7950492a.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088

C:\Users\Admin\AppData\Local\Temp\7zS0C613BC2\Thu02483b39590da5492.exe
Thu02483b39590da5492.exe
1⤵
- Executes dropped EXE
PID:1984

C:\Windows\system32\taskeng.exe
taskeng.exe {B8D19C9B-3DE7-48F3-AB1C-D5C0A3437191} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:1544
- C:\Users\Admin\AppData\Roaming\iafbrvs
  C:\Users\Admin\AppData\Roaming\iafbrvs
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:556
- C:\Program Files\Mozilla Firefox\default-browser-agent.exe
  "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
  2⤵
  PID:792

C:\Windows\system32\taskeng.exe
taskeng.exe {81FD261F-349D-4892-BCF1-C9FFBD348209} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1020

C:\Windows\system32\taskeng.exe
taskeng.exe {E9E65429-F80D-412E-877B-4BE813568833} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:932
- C:\Users\Admin\AppData\Roaming\iafbrvs
  C:\Users\Admin\AppData\Roaming\iafbrvs
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:1848

C:\Windows\system32\taskeng.exe
taskeng.exe {1E3D2944-A632-4F80-B408-552CCE3E533A} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:1136
- C:\Users\Admin\AppData\Roaming\iafbrvs
  C:\Users\Admin\AppData\Roaming\iafbrvs
  2⤵
  PID:1592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-189-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/316-197-0x0000000000281000-0x0000000000282000-memory.dmp

Filesize
4KB

Download
memory/316-205-0x0000000000282000-0x0000000000284000-memory.dmp

Filesize
8KB

Download
memory/556-220-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/1028-211-0x0000000000570000-0x00000000005D0000-memory.dmp

Filesize
384KB

Download
memory/1228-230-0x0000000002DE0000-0x0000000002DF6000-memory.dmp

Filesize
88KB

Download
memory/1228-226-0x0000000002DB0000-0x0000000002DC6000-memory.dmp

Filesize
88KB

Download
memory/1228-221-0x0000000002D80000-0x0000000002D96000-memory.dmp

Filesize
88KB

Download
memory/1228-194-0x0000000002BE0000-0x0000000002BF6000-memory.dmp

Filesize
88KB

Download
memory/1592-229-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/1596-177-0x0000000000400000-0x0000000002403000-memory.dmp

Filesize
32.0MB

Download
memory/1596-173-0x00000000029A0000-0x0000000002A3D000-memory.dmp

Filesize
628KB

Download
memory/1636-181-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/1636-200-0x000000001B0B0000-0x000000001B0B2000-memory.dmp

Filesize
8KB

Download
memory/1728-53-0x0000000076391000-0x0000000076393000-memory.dmp

Filesize
8KB

Download
memory/1740-193-0x0000000000150000-0x0000000000165000-memory.dmp

Filesize
84KB

Download
memory/1740-201-0x000000001AE00000-0x000000001AE02000-memory.dmp

Filesize
8KB

Download
memory/1740-183-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1744-101-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1744-80-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1744-81-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1744-78-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1744-96-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1744-77-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1744-76-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1744-74-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1744-75-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1744-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1800-204-0x0000000004910000-0x000000000492A000-memory.dmp

Filesize
104KB

Download
memory/1800-198-0x00000000072B1000-0x00000000072B2000-memory.dmp

Filesize
4KB

Download
memory/1800-199-0x00000000003E0000-0x00000000003FC000-memory.dmp

Filesize
112KB

Download
memory/1800-203-0x00000000072B3000-0x00000000072B4000-memory.dmp

Filesize
4KB

Download
memory/1800-202-0x00000000072B2000-0x00000000072B3000-memory.dmp

Filesize
4KB

Download
memory/1800-159-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download
memory/1800-165-0x0000000000400000-0x0000000002CD0000-memory.dmp

Filesize
40.8MB

Download
memory/1800-210-0x00000000072B4000-0x00000000072B6000-memory.dmp

Filesize
8KB

Download
memory/1848-225-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/1864-212-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1864-213-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1892-178-0x0000000000400000-0x00000000023AF000-memory.dmp

Filesize
31.7MB

Download
memory/1892-175-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1984-190-0x000007FEFBBD1000-0x000007FEFBBD3000-memory.dmp

Filesize
8KB

Download
memory/1984-196-0x0000000003890000-0x0000000003A2B000-memory.dmp

Filesize
1.6MB

Download
memory/1984-195-0x0000000003610000-0x00000000036E7000-memory.dmp

Filesize
860KB

Download