Analysis
-
max time kernel
78s -
max time network
206s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
09-11-2021 13:19
General
-
Target
2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a.exe
-
Size
3.9MB
-
MD5
e04c606d6936962fe40913b1654410d8
-
SHA1
37a7a94ea89f4697ad779a43c907deef4fd04f89
-
SHA256
2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a
-
SHA512
a98c183a3b9b4cc34544f9cd1ba5ba4a41595ce06d21e0ae2598adc96096411e94a09e3ef72bdc49f7a74b2d58bd7274e041eee2c4d3cee6f2476b3c000c8ba2
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
Family
redline
Botnet
she
C2
135.181.129.119:4805
Extracted
Family
redline
Botnet
ANI
C2
45.142.215.47:27643
Extracted
Family
smokeloader
Version
2020
C2
http://gmpeople.com/upload/
http://mile48.com/upload/
http://lecanardstsornin.com/upload/
http://m3600.com/upload/
http://camasirx.com/upload/
rc4.i32
rc4.i32
Extracted
Family
vidar
Version
48.1
Botnet
937
Attributes
-
profile_id
937
Extracted
Family
xloader
Version
2.5
Campaign
s0iw
C2
http://www.kyiejenner.com/s0iw/
Decoy
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 7 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Vidar Stealer 2 IoCs
-
Xloader Payload 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 13 IoCs
-
Modifies Windows Firewall 1 TTPs
-
Loads dropped DLL 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 2 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 10 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 4 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 22 IoCs
-
Suspicious use of AdjustPrivilegeToken 40 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a.exe"C:\Users\Admin\AppData\Local\Temp\2d63a14e4ab37be8d0eee3d87959e3a0ef972d07411c136ecf2f1ac4191a701a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun12c1348d93153.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun12c1348d93153.exeSun12c1348d93153.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\xFlgB4Za99swS90uhoBEsUeg.exe"C:\Users\Admin\Pictures\Adobe Films\xFlgB4Za99swS90uhoBEsUeg.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\KJK03Ni1uFoeb0_VTmHTG6Ou.exe"C:\Users\Admin\Pictures\Adobe Films\KJK03Ni1uFoeb0_VTmHTG6Ou.exe"6⤵
-
C:\Users\Admin\Documents\o77BvoF8F8H3x9Tfohbo1rNl.exe"C:\Users\Admin\Documents\o77BvoF8F8H3x9Tfohbo1rNl.exe"7⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST7⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\yzrfCPgAsCbdOBJe86cBYrEP.exe"C:\Users\Admin\Pictures\Adobe Films\yzrfCPgAsCbdOBJe86cBYrEP.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\KFMIiIwz3xbIfB7RnPos0d1z.exe"C:\Users\Admin\Pictures\Adobe Films\KFMIiIwz3xbIfB7RnPos0d1z.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\dUadqlOujg5OCCqRcHGxkRoy.exe"C:\Users\Admin\Pictures\Adobe Films\dUadqlOujg5OCCqRcHGxkRoy.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\7erBk_I1otVlnu6TrdtPTtCv.exe"C:\Users\Admin\Pictures\Adobe Films\7erBk_I1otVlnu6TrdtPTtCv.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "7erBk_I1otVlnu6TrdtPTtCv.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\7erBk_I1otVlnu6TrdtPTtCv.exe" & exit7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "7erBk_I1otVlnu6TrdtPTtCv.exe" /f8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\hCh5SqqQiwpwNGZfbw0Db5l3.exe"C:\Users\Admin\Pictures\Adobe Films\hCh5SqqQiwpwNGZfbw0Db5l3.exe"6⤵
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\TsGYWYHaAmFHKldYAx_XE0KU.exe"C:\Users\Admin\Pictures\Adobe Films\TsGYWYHaAmFHKldYAx_XE0KU.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\9UwF7RHQbz6ZJ7cgtG3U5ayY.exe"C:\Users\Admin\Pictures\Adobe Films\9UwF7RHQbz6ZJ7cgtG3U5ayY.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\YV5DwoScdoQ2Kd08qX5SIT_o.exe"C:\Users\Admin\Pictures\Adobe Films\YV5DwoScdoQ2Kd08qX5SIT_o.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\tfugKKePr2LiLXXzD0UhT8At.exe"C:\Users\Admin\Pictures\Adobe Films\tfugKKePr2LiLXXzD0UhT8At.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\RzcTxK6cd9S73eHgTd8njwEX.exe"C:\Users\Admin\Pictures\Adobe Films\RzcTxK6cd9S73eHgTd8njwEX.exe"6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\RzcTxK6cd9S73eHgTd8njwEX.exe" & exit7⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 58⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\6TFHlFY0k4iDobcST87y2qhV.exe"C:\Users\Admin\Pictures\Adobe Films\6TFHlFY0k4iDobcST87y2qhV.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\7⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \7⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes7⤵
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM7⤵
- Creates scheduled task(s)
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\39txMBiTMV_KtjhZXLKp2lXT.exe"C:\Users\Admin\Pictures\Adobe Films\39txMBiTMV_KtjhZXLKp2lXT.exe"6⤵
-
C:\Users\Admin\AppData\Roaming\Underdress.exeC:\Users\Admin\AppData\Roaming\Underdress.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"8⤵
-
-
-
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exeC:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe7⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"8⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 5528⤵
- Program crash
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\Xak840eyxFNrItr5jx7GltOy.exe"C:\Users\Admin\Pictures\Adobe Films\Xak840eyxFNrItr5jx7GltOy.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\Xak840eyxFNrItr5jx7GltOy.exe"C:\Users\Admin\Pictures\Adobe Films\Xak840eyxFNrItr5jx7GltOy.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\V52hI9Enje6nDetyQrz8AlkB.exe"C:\Users\Admin\Pictures\Adobe Films\V52hI9Enje6nDetyQrz8AlkB.exe"6⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe7⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe8⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\6__g9HjU1JzBgP036rXE7gZY.exe"C:\Users\Admin\Pictures\Adobe Films\6__g9HjU1JzBgP036rXE7gZY.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\U8oL3G08uOszHKS5CcuQg0lL.exe"C:\Users\Admin\Pictures\Adobe Films\U8oL3G08uOszHKS5CcuQg0lL.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\CqMvpdoqCrk5NGJiZvOzLopf.exe"C:\Users\Admin\Pictures\Adobe Films\CqMvpdoqCrk5NGJiZvOzLopf.exe"6⤵
-
C:\Users\Admin\Pictures\Adobe Films\CqMvpdoqCrk5NGJiZvOzLopf.exe"C:\Users\Admin\Pictures\Adobe Films\CqMvpdoqCrk5NGJiZvOzLopf.exe"7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\OCj5sMmpJYhWjepTLao3GpVf.exe"C:\Users\Admin\Pictures\Adobe Films\OCj5sMmpJYhWjepTLao3GpVf.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\Fdm7g1rYptl81FWmIcNLw9Qv.exe"C:\Users\Admin\Pictures\Adobe Films\Fdm7g1rYptl81FWmIcNLw9Qv.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\v3a5JNV6p_ECxUBimJ0Ek5Y8.exe"C:\Users\Admin\Pictures\Adobe Films\v3a5JNV6p_ECxUBimJ0Ek5Y8.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\BZYI0_5bF2pGuSTqquFGslBG.exe"C:\Users\Admin\Pictures\Adobe Films\BZYI0_5bF2pGuSTqquFGslBG.exe"6⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\BZYI0_5bF2pGuSTqquFGslBG.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\BZYI0_5bF2pGuSTqquFGslBG.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )7⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\9_dAShtlgGpWTw7khAQAI2mc.exe"C:\Users\Admin\Pictures\Adobe Films\9_dAShtlgGpWTw7khAQAI2mc.exe"6⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\AcOaQgiqgr7WN5oZTcCPb8VM.exe"C:\Users\Admin\Pictures\Adobe Films\AcOaQgiqgr7WN5oZTcCPb8VM.exe"6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1259934706c8.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun1259934706c8.exeSun1259934706c8.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun12d5375519fd3042a.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun12d5375519fd3042a.exeSun12d5375519fd3042a.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun12fa00cf9c.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun12fa00cf9c.exeSun12fa00cf9c.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun12fa00cf9c.exeC:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun12fa00cf9c.exe6⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun12f38be2ba.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun12f38be2ba.exeSun12f38be2ba.exe5⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun1216aa44861b6.exe /mixone4⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun1216aa44861b6.exeSun1216aa44861b6.exe /mixone5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 6566⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 6726⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 7726⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 8086⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 7526⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 9086⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 8846⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun12ae5f6f719fe11fb.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun12ae5f6f719fe11fb.exeSun12ae5f6f719fe11fb.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3800 -s 18526⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun123ea6485e74.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun123ea6485e74.exeSun123ea6485e74.exe5⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun120905af9b0.exe4⤵
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun120905af9b0.exeSun120905af9b0.exe5⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun120905af9b0.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun120905af9b0.exe"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )6⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun120905af9b0.exe" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun120905af9b0.exe" ) do taskkill /F -Im "%~NxU"7⤵
-
C:\Users\Admin\AppData\Local\Temp\09xU.exE09xU.EXE -pPtzyIkqLZoCarb5ew8⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ( "CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" ) do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE" ) do taskkill /F -Im "%~NxU"10⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " , 0 ,TRuE ) )9⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I10⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" eCHO "11⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"11⤵
-
-
C:\Windows\SysWOW64\control.execontrol .\R6f7sE.I11⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I12⤵
-
C:\Windows\system32\RunDll32.exeC:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I13⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I14⤵
-
-
-
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /F -Im "Sun120905af9b0.exe"8⤵
- Kills process with taskkill
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun12da668880c641f.exe4⤵
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Sun12e7ce43242.exe4⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 5724⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun12da668880c641f.exeSun12da668880c641f.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- Kills process with taskkill
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS46AB9B96\Sun12e7ce43242.exeSun12e7ce43242.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\SysWOW64\control.exe"C:\Windows\SysWOW64\control.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\tfugKKePr2LiLXXzD0UhT8At.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
852KB
-
Filesize
864KB
-
Filesize
492KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
68KB
-
Filesize
3.1MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
572KB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
18.9MB
-
Filesize
8KB
-
Filesize
124KB
-
Filesize
4KB
-
Filesize
116KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
128KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
308KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
456KB
-
Filesize
456KB
-
Filesize
18.9MB
-
Filesize
1.3MB
-
Filesize
84KB
-
Filesize
1.5MB
-
Filesize
36KB
-
Filesize
18.8MB
-
Filesize
68KB
-
Filesize
388KB
-
Filesize
156KB
-
Filesize
272KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.0MB
-
Filesize
136KB
-
Filesize
4KB
-
Filesize
696KB
-
Filesize
1.0MB
-
Filesize
372KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
1.0MB
-
Filesize
108KB
-
Filesize
456KB
-
Filesize
36KB
-
Filesize
39.2MB
-
Filesize
39.4MB
-
Filesize
1.3MB
-
Filesize
1.3MB
-
Filesize
1.3MB