Analysis
-
max time kernel
151s -
max time network
150s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
20/11/2021, 01:36
Static task
static1
Behavioral task
behavioral1
Sample
734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe
Resource
win7-en-20211104
General
-
Target
734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe
-
Size
3.4MB
-
MD5
911669a9c6aedd2806a996ad49adac13
-
SHA1
7b0ad38d008d1c7a40e2575b005e9876aca4f06d
-
SHA256
734c31431b89b7501b984af35a2d61bdce27ba87ca484a64fb37ca5794e1a141
-
SHA512
457d387f2b087fd2c3701d9f468032878c5944c4cba352fc9b5a7befdd3944b8694590800c4c76d72a6aac3717f59bac27f713d13c45bdebdcd26bac338500a0
Malware Config
Extracted
redline
pab3
185.215.113.15:61506
Extracted
vidar
40
706
https://lenak513.tumblr.com/
-
profile_id
706
Extracted
smokeloader
2020
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
Extracted
socelars
http://www.gianninidesign.com/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral2/memory/1080-206-0x0000000004AF0000-0x0000000004B0C000-memory.dmp family_redline behavioral2/memory/1080-211-0x0000000004B70000-0x0000000004B8A000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 2 IoCs
resource yara_rule behavioral2/files/0x000400000001ac1a-501.dat family_socelars behavioral2/files/0x000400000001ac1a-503.dat family_socelars -
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
description pid Process procid_target PID 4288 created 4112 4288 WerFault.exe 82 PID 3284 created 3008 3284 WerFault.exe 91 -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 3 IoCs
resource yara_rule behavioral2/memory/4112-232-0x00000000048E0000-0x000000000497D000-memory.dmp family_vidar behavioral2/memory/4112-237-0x0000000000400000-0x0000000002D1A000-memory.dmp family_vidar behavioral2/memory/4208-540-0x00000000021F0000-0x00000000022C5000-memory.dmp family_vidar -
resource yara_rule behavioral2/files/0x000500000001abac-123.dat aspack_v212_v242 behavioral2/files/0x000500000001abab-122.dat aspack_v212_v242 behavioral2/files/0x000500000001abab-125.dat aspack_v212_v242 behavioral2/files/0x000500000001abac-127.dat aspack_v212_v242 behavioral2/files/0x000500000001abb4-129.dat aspack_v212_v242 behavioral2/files/0x000500000001abb4-131.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 28 IoCs
pid Process 800 setup_install.exe 3008 Tue094bcd3f59.exe 4112 Tue0920739b1b1367340.exe 3132 Tue09a700e547.exe 428 Tue095a91fcf60e296.exe 500 Tue09ca5dc30ca0.exe 1080 Tue094093eaba3241.exe 1408 Tue09d48d6e278d9ad1.exe 1456 Tue098c67724cc.exe 1560 Tue090358524773b93.exe 2688 Tue09a700e547.exe 3564 Volevo.exe.com 2344 Volevo.exe.com 1524 d89ZrndOU42v8CmwJT6HiF4w.exe 4196 3Lx2rqzHWvdp52XF3dFLncJr.exe 4500 y__12xwA6088lTTfcsU1tsc_.exe 4484 70x8Z1vYh07fX13GCbik8aU3.exe 1836 14c50LdrpAJkywtMlv_IMCLP.exe 4208 xTZx6JOiV3rsuzx60KU4Lw2G.exe 1140 OSrEf9DPpntbBXRTydBxDLXc.exe 1244 ni103IsopTImTsV_RO7LtV_C.exe 4276 ObPSRUMsooTNbko_DbZAmY6a.exe 1444 mAvVtB0A11xUzkDIYki8UOsR.exe 3080 gW7eponAAgJdtjhvyy5cFVR1.exe 4316 inst2.exe 4308 jg1_1faf.exe 2808 rtst1039.exe 1400 dFwgqfg1Q7n4ADjCFF0MWveP.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion mAvVtB0A11xUzkDIYki8UOsR.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion mAvVtB0A11xUzkDIYki8UOsR.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Control Panel\International\Geo\Nation Tue090358524773b93.exe -
Loads dropped DLL 6 IoCs
pid Process 800 setup_install.exe 800 setup_install.exe 800 setup_install.exe 800 setup_install.exe 800 setup_install.exe 800 setup_install.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000400000001ac23-520.dat themida behavioral2/files/0x000400000001ac23-519.dat themida -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Tue09d48d6e278d9ad1.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce Tue09d48d6e278d9ad1.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA mAvVtB0A11xUzkDIYki8UOsR.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 91 ipinfo.io 92 ipinfo.io 184 ip-api.com 196 ipinfo.io 197 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1444 mAvVtB0A11xUzkDIYki8UOsR.exe -
Drops file in Program Files directory 7 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Company\NewProduct\rtst1039.exe y__12xwA6088lTTfcsU1tsc_.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\Uninstall.exe y__12xwA6088lTTfcsU1tsc_.exe File created C:\Program Files (x86)\Company\NewProduct\Uninstall.ini y__12xwA6088lTTfcsU1tsc_.exe File created C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 3Lx2rqzHWvdp52XF3dFLncJr.exe File opened for modification C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe 3Lx2rqzHWvdp52XF3dFLncJr.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\inst2.exe y__12xwA6088lTTfcsU1tsc_.exe File opened for modification C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe y__12xwA6088lTTfcsU1tsc_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 21 IoCs
pid pid_target Process procid_target 2068 800 WerFault.exe 68 2588 4112 WerFault.exe 82 2228 4112 WerFault.exe 82 1520 4112 WerFault.exe 82 2128 4112 WerFault.exe 82 1900 4112 WerFault.exe 82 3168 4112 WerFault.exe 82 2032 4112 WerFault.exe 82 3628 4112 WerFault.exe 82 3892 4112 WerFault.exe 82 4236 4112 WerFault.exe 82 4484 4112 WerFault.exe 82 3084 4112 WerFault.exe 82 3784 4112 WerFault.exe 82 2912 4112 WerFault.exe 82 404 4112 WerFault.exe 82 4288 4112 WerFault.exe 82 1720 2688 WerFault.exe 93 3284 3008 WerFault.exe 91 4796 1560 WerFault.exe 86 1872 4208 WerFault.exe 124 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue09ca5dc30ca0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue09ca5dc30ca0.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Tue09ca5dc30ca0.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2284 schtasks.exe 4820 schtasks.exe -
Modifies registry class 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance Process not Found Key created \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance Process not Found -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Tue0920739b1b1367340.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Tue0920739b1b1367340.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2272 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 2068 WerFault.exe 4492 powershell.exe 500 Tue09ca5dc30ca0.exe 500 Tue09ca5dc30ca0.exe 4492 powershell.exe 4492 powershell.exe 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe 2588 WerFault.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2716 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 500 Tue09ca5dc30ca0.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1456 Tue098c67724cc.exe Token: SeDebugPrivilege 428 Tue095a91fcf60e296.exe Token: SeRestorePrivilege 2068 WerFault.exe Token: SeBackupPrivilege 2068 WerFault.exe Token: SeDebugPrivilege 2068 WerFault.exe Token: SeDebugPrivilege 4492 powershell.exe Token: SeDebugPrivilege 1080 Tue094093eaba3241.exe Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeDebugPrivilege 2588 WerFault.exe Token: SeDebugPrivilege 2228 WerFault.exe Token: SeDebugPrivilege 1520 WerFault.exe Token: SeDebugPrivilege 2128 WerFault.exe Token: SeDebugPrivilege 1900 WerFault.exe Token: SeDebugPrivilege 3168 WerFault.exe Token: SeDebugPrivilege 2032 WerFault.exe Token: SeDebugPrivilege 3628 WerFault.exe Token: SeDebugPrivilege 3892 WerFault.exe Token: SeDebugPrivilege 4236 WerFault.exe Token: SeDebugPrivilege 4484 WerFault.exe Token: SeDebugPrivilege 3084 WerFault.exe Token: SeDebugPrivilege 3784 WerFault.exe Token: SeDebugPrivilege 2912 WerFault.exe Token: SeDebugPrivilege 404 WerFault.exe Token: SeDebugPrivilege 4288 WerFault.exe Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeDebugPrivilege 3284 WerFault.exe Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeShutdownPrivilege 2716 Process not Found Token: SeCreatePagefilePrivilege 2716 Process not Found Token: SeCreateTokenPrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeAssignPrimaryTokenPrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeLockMemoryPrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeIncreaseQuotaPrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeMachineAccountPrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeTcbPrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeSecurityPrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeTakeOwnershipPrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeLoadDriverPrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeSystemProfilePrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeSystemtimePrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe Token: SeProfSingleProcessPrivilege 4484 70x8Z1vYh07fX13GCbik8aU3.exe -
Suspicious use of FindShellTrayWindow 14 IoCs
pid Process 3564 Volevo.exe.com 3564 Volevo.exe.com 3564 Volevo.exe.com 2716 Process not Found 2716 Process not Found 2344 Volevo.exe.com 2716 Process not Found 2716 Process not Found 2344 Volevo.exe.com 2344 Volevo.exe.com 2716 Process not Found 2716 Process not Found 2716 Process not Found 2716 Process not Found -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 3564 Volevo.exe.com 3564 Volevo.exe.com 3564 Volevo.exe.com 2344 Volevo.exe.com 2344 Volevo.exe.com 2344 Volevo.exe.com -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4152 wrote to memory of 800 4152 734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe 68 PID 4152 wrote to memory of 800 4152 734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe 68 PID 4152 wrote to memory of 800 4152 734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe 68 PID 800 wrote to memory of 4400 800 setup_install.exe 71 PID 800 wrote to memory of 4400 800 setup_install.exe 71 PID 800 wrote to memory of 4400 800 setup_install.exe 71 PID 800 wrote to memory of 4388 800 setup_install.exe 72 PID 800 wrote to memory of 4388 800 setup_install.exe 72 PID 800 wrote to memory of 4388 800 setup_install.exe 72 PID 800 wrote to memory of 4464 800 setup_install.exe 73 PID 800 wrote to memory of 4464 800 setup_install.exe 73 PID 800 wrote to memory of 4464 800 setup_install.exe 73 PID 800 wrote to memory of 4376 800 setup_install.exe 74 PID 800 wrote to memory of 4376 800 setup_install.exe 74 PID 800 wrote to memory of 4376 800 setup_install.exe 74 PID 800 wrote to memory of 4384 800 setup_install.exe 75 PID 800 wrote to memory of 4384 800 setup_install.exe 75 PID 800 wrote to memory of 4384 800 setup_install.exe 75 PID 800 wrote to memory of 3200 800 setup_install.exe 76 PID 800 wrote to memory of 3200 800 setup_install.exe 76 PID 800 wrote to memory of 3200 800 setup_install.exe 76 PID 800 wrote to memory of 2760 800 setup_install.exe 77 PID 800 wrote to memory of 2760 800 setup_install.exe 77 PID 800 wrote to memory of 2760 800 setup_install.exe 77 PID 800 wrote to memory of 4432 800 setup_install.exe 79 PID 800 wrote to memory of 4432 800 setup_install.exe 79 PID 800 wrote to memory of 4432 800 setup_install.exe 79 PID 800 wrote to memory of 3172 800 setup_install.exe 78 PID 800 wrote to memory of 3172 800 setup_install.exe 78 PID 800 wrote to memory of 3172 800 setup_install.exe 78 PID 800 wrote to memory of 60 800 setup_install.exe 92 PID 800 wrote to memory of 60 800 setup_install.exe 92 PID 800 wrote to memory of 60 800 setup_install.exe 92 PID 4400 wrote to memory of 4492 4400 cmd.exe 81 PID 4400 wrote to memory of 4492 4400 cmd.exe 81 PID 4400 wrote to memory of 4492 4400 cmd.exe 81 PID 4388 wrote to memory of 3132 4388 cmd.exe 80 PID 4388 wrote to memory of 3132 4388 cmd.exe 80 PID 4388 wrote to memory of 3132 4388 cmd.exe 80 PID 4376 wrote to memory of 3008 4376 cmd.exe 91 PID 4376 wrote to memory of 3008 4376 cmd.exe 91 PID 4384 wrote to memory of 4112 4384 cmd.exe 82 PID 4384 wrote to memory of 4112 4384 cmd.exe 82 PID 4384 wrote to memory of 4112 4384 cmd.exe 82 PID 4432 wrote to memory of 428 4432 cmd.exe 90 PID 4432 wrote to memory of 428 4432 cmd.exe 90 PID 4464 wrote to memory of 500 4464 cmd.exe 89 PID 4464 wrote to memory of 500 4464 cmd.exe 89 PID 4464 wrote to memory of 500 4464 cmd.exe 89 PID 3200 wrote to memory of 1080 3200 cmd.exe 83 PID 3200 wrote to memory of 1080 3200 cmd.exe 83 PID 3200 wrote to memory of 1080 3200 cmd.exe 83 PID 3172 wrote to memory of 1408 3172 cmd.exe 85 PID 3172 wrote to memory of 1408 3172 cmd.exe 85 PID 3172 wrote to memory of 1408 3172 cmd.exe 85 PID 60 wrote to memory of 1456 60 cmd.exe 88 PID 60 wrote to memory of 1456 60 cmd.exe 88 PID 2760 wrote to memory of 1560 2760 cmd.exe 86 PID 2760 wrote to memory of 1560 2760 cmd.exe 86 PID 2760 wrote to memory of 1560 2760 cmd.exe 86 PID 3132 wrote to memory of 2688 3132 Tue09a700e547.exe 93 PID 3132 wrote to memory of 2688 3132 Tue09a700e547.exe 93 PID 3132 wrote to memory of 2688 3132 Tue09a700e547.exe 93 PID 1408 wrote to memory of 3452 1408 Tue09d48d6e278d9ad1.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe"C:\Users\Admin\AppData\Local\Temp\734C31431B89B7501B984AF35A2D61BDCE27BA87CA484.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS830151E5\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
PID:4400 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4492
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09a700e547.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4388 -
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue09a700e547.exeTue09a700e547.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue09a700e547.exe"C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue09a700e547.exe" -a5⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2688 -s 229526⤵
- Program crash
PID:1720
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09ca5dc30ca0.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue09ca5dc30ca0.exeTue09ca5dc30ca0.exe4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:500
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue094bcd3f59.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue094bcd3f59.exeTue094bcd3f59.exe4⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3008 -s 10205⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue0920739b1b1367340.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue0920739b1b1367340.exeTue0920739b1b1367340.exe4⤵
- Executes dropped EXE
- Modifies system certificate store
PID:4112 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 7685⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2588
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 7925⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2228
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 8285⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 8045⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2128
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 9645⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:1900
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 9925⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 14245⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 14645⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 16565⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3892
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 13605⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4236
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 16285⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 16525⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3084
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 16445⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:3784
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 16685⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 14205⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4112 -s 14885⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue094093eaba3241.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue094093eaba3241.exeTue094093eaba3241.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue090358524773b93.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue090358524773b93.exeTue090358524773b93.exe4⤵
- Executes dropped EXE
- Checks computer location settings
PID:1560 -
C:\Users\Admin\Pictures\Adobe Films\d89ZrndOU42v8CmwJT6HiF4w.exe"C:\Users\Admin\Pictures\Adobe Films\d89ZrndOU42v8CmwJT6HiF4w.exe"5⤵
- Executes dropped EXE
PID:1524
-
-
C:\Users\Admin\Pictures\Adobe Films\3Lx2rqzHWvdp52XF3dFLncJr.exe"C:\Users\Admin\Pictures\Adobe Films\3Lx2rqzHWvdp52XF3dFLncJr.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4196 -
C:\Users\Admin\Documents\dFwgqfg1Q7n4ADjCFF0MWveP.exe"C:\Users\Admin\Documents\dFwgqfg1Q7n4ADjCFF0MWveP.exe"6⤵
- Executes dropped EXE
PID:1400
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:2284
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST6⤵
- Creates scheduled task(s)
PID:4820
-
-
-
C:\Users\Admin\Pictures\Adobe Films\xTZx6JOiV3rsuzx60KU4Lw2G.exe"C:\Users\Admin\Pictures\Adobe Films\xTZx6JOiV3rsuzx60KU4Lw2G.exe"5⤵
- Executes dropped EXE
PID:4208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4208 -s 3406⤵
- Program crash
PID:1872
-
-
-
C:\Users\Admin\Pictures\Adobe Films\70x8Z1vYh07fX13GCbik8aU3.exe"C:\Users\Admin\Pictures\Adobe Films\70x8Z1vYh07fX13GCbik8aU3.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4484
-
-
C:\Users\Admin\Pictures\Adobe Films\14c50LdrpAJkywtMlv_IMCLP.exe"C:\Users\Admin\Pictures\Adobe Films\14c50LdrpAJkywtMlv_IMCLP.exe"5⤵
- Executes dropped EXE
PID:1836
-
-
C:\Users\Admin\Pictures\Adobe Films\y__12xwA6088lTTfcsU1tsc_.exe"C:\Users\Admin\Pictures\Adobe Films\y__12xwA6088lTTfcsU1tsc_.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4500 -
C:\Program Files (x86)\Company\NewProduct\inst2.exe"C:\Program Files (x86)\Company\NewProduct\inst2.exe"6⤵
- Executes dropped EXE
PID:4316
-
-
C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"C:\Program Files (x86)\Company\NewProduct\jg1_1faf.exe"6⤵
- Executes dropped EXE
PID:4308
-
-
C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"C:\Program Files (x86)\Company\NewProduct\rtst1039.exe"6⤵
- Executes dropped EXE
PID:2808
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mAvVtB0A11xUzkDIYki8UOsR.exe"C:\Users\Admin\Pictures\Adobe Films\mAvVtB0A11xUzkDIYki8UOsR.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:1444
-
-
C:\Users\Admin\Pictures\Adobe Films\gW7eponAAgJdtjhvyy5cFVR1.exe"C:\Users\Admin\Pictures\Adobe Films\gW7eponAAgJdtjhvyy5cFVR1.exe"5⤵
- Executes dropped EXE
PID:3080
-
-
C:\Users\Admin\Pictures\Adobe Films\ObPSRUMsooTNbko_DbZAmY6a.exe"C:\Users\Admin\Pictures\Adobe Films\ObPSRUMsooTNbko_DbZAmY6a.exe"5⤵
- Executes dropped EXE
PID:4276
-
-
C:\Users\Admin\Pictures\Adobe Films\ni103IsopTImTsV_RO7LtV_C.exe"C:\Users\Admin\Pictures\Adobe Films\ni103IsopTImTsV_RO7LtV_C.exe"5⤵
- Executes dropped EXE
PID:1244
-
-
C:\Users\Admin\Pictures\Adobe Films\OSrEf9DPpntbBXRTydBxDLXc.exe"C:\Users\Admin\Pictures\Adobe Films\OSrEf9DPpntbBXRTydBxDLXc.exe"5⤵
- Executes dropped EXE
PID:1140
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1560 -s 28765⤵
- Program crash
PID:4796
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue09d48d6e278d9ad1.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3172 -
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue09d48d6e278d9ad1.exeTue09d48d6e278d9ad1.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\dllhost.exedllhost.exe5⤵PID:3452
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Vai.pdf5⤵PID:4816
-
C:\Windows\SysWOW64\cmd.execmd6⤵PID:4284
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^mtHoKMPFYDHibgXoaLvAaWsXCpDWIDAtGvzDsjSTgLhRLduwJPppYNJDMJFBoSWxeCBqVxQuTCkHIAkke$" Dal.pdf7⤵PID:2808
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.comVolevo.exe.com H7⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3564 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.comC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Volevo.exe.com H8⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2344
-
-
-
C:\Windows\SysWOW64\PING.EXEping LUCNJVHX -n 307⤵
- Runs ping.exe
PID:2272
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue095a91fcf60e296.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue095a91fcf60e296.exeTue095a91fcf60e296.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:428
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 800 -s 5683⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Tue098c67724cc.exe3⤵
- Suspicious use of WriteProcessMemory
PID:60
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS830151E5\Tue098c67724cc.exeTue098c67724cc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1456
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1