Analysis

  • max time kernel
    87s
  • max time network
    174s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    20/12/2021, 14:02

General

  • Target

    51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe

  • Size

    7.2MB

  • MD5

    dae2316b551b4502015dee0773decd38

  • SHA1

    129446f53bd0ec2f336235dfa9ab7505e326354e

  • SHA256

    51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10

  • SHA512

    c52a5cc90d6e53d9968a585910d472af3188d0c509b51ecd9aa0e3e6a44fe866a9bdd5e473beccdb7dfe0fab7df95b0e6532b75a4535be91737932bb48353736

Malware Config

Extracted

Family

socelars

C2

http://www.biohazardgraphics.com/

Extracted

Family

raccoon

Botnet

b2a6680a55967ecaa6997d8e44705c8be49a632c

Attributes
  • url4cnc

    http://194.180.174.53/masseffectus2

    http://91.219.236.18/masseffectus2

    http://194.180.174.41/masseffectus2

    http://91.219.236.148/masseffectus2

    https://t.me/masseffectus2

rc4.plain
rc4.plain

Extracted

Family

vidar

Version

49.1

Botnet

915

C2

https://noc.social/@sergeev46

https://c.im/@sergeev47

Attributes
  • profile_id

    915

Extracted

Family

smokeloader

Version

2020

C2

http://rcacademy.at/upload/

http://e-lanpengeonline.com/upload/

http://vjcmvz.cn/upload/

http://galala.ru/upload/

http://witra.ru/upload/

rc4.i32
rc4.i32

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Raccoon

    Simple but powerful infostealer which was very active in 2019.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine Payload 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Socelars

    Socelars is an infostealer targeting browser cookies and credit card credentials.

  • Socelars Payload 1 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Vidar Stealer 2 IoCs
  • ASPack v2.12-2.42 6 IoCs

    Detects executables packed with ASPack v2.12-2.42

  • Downloads MZ/PE file
  • Executes dropped EXE 26 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Looks up geolocation information via web service

    Uses a legitimate geolocation service to find the infected system's geolocation info.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 3 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 8 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    1⤵
    • Suspicious use of NtCreateUserProcessOtherParentProcess
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:864
  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2528
    • C:\Users\Admin\AppData\Local\Temp\51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe
      "C:\Users\Admin\AppData\Local\Temp\51e9f37d22b1fab57644a98cb4a8371e6313951a9c7c7e420434fd193ebf4c10.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:944
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\setup_install.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:668
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:1800
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1464
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
            4⤵
              PID:1044
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
                5⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:912
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c Sun020372b94495.exe
              4⤵
              • Loads dropped DLL
              PID:1808
              • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun020372b94495.exe
                Sun020372b94495.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:1064
                • C:\Users\Admin\AppData\Local\c673538e-bc71-49fc-84c5-b9335c993a1d.exe
                  "C:\Users\Admin\AppData\Local\c673538e-bc71-49fc-84c5-b9335c993a1d.exe"
                  6⤵
                    PID:2316
                  • C:\Users\Admin\AppData\Local\fb4eb402-6f5c-4232-9d63-679ab7d296e4.exe
                    "C:\Users\Admin\AppData\Local\fb4eb402-6f5c-4232-9d63-679ab7d296e4.exe"
                    6⤵
                      PID:2376
                      • C:\Users\Admin\AppData\Roaming\23988080\2398732023987320.exe
                        "C:\Users\Admin\AppData\Roaming\23988080\2398732023987320.exe"
                        7⤵
                          PID:2496
                      • C:\Users\Admin\AppData\Local\fca7d647-6eb5-4605-87fc-7dfc255f9c83.exe
                        "C:\Users\Admin\AppData\Local\fca7d647-6eb5-4605-87fc-7dfc255f9c83.exe"
                        6⤵
                          PID:948
                        • C:\Users\Admin\AppData\Local\6c0099e9-0f26-4582-ae56-15b9e7c40ae8.exe
                          "C:\Users\Admin\AppData\Local\6c0099e9-0f26-4582-ae56-15b9e7c40ae8.exe"
                          6⤵
                            PID:2436
                          • C:\Users\Admin\AppData\Local\71917e6a-c266-4999-b0f1-d8f27323c560.exe
                            "C:\Users\Admin\AppData\Local\71917e6a-c266-4999-b0f1-d8f27323c560.exe"
                            6⤵
                              PID:2860
                              • C:\Users\Admin\AppData\Roaming\1474843.exe
                                "C:\Users\Admin\AppData\Roaming\1474843.exe"
                                7⤵
                                  PID:2388
                                  • C:\Windows\SysWOW64\control.exe
                                    "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                    8⤵
                                      PID:2396
                                      • C:\Windows\SysWOW64\rundll32.exe
                                        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\5wSR6.cPL",
                                        9⤵
                                          PID:2320
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Sun02687ff429634d30b.exe
                                4⤵
                                • Loads dropped DLL
                                PID:1440
                                • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02687ff429634d30b.exe
                                  Sun02687ff429634d30b.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Suspicious use of SetThreadContext
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1596
                                  • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02687ff429634d30b.exe
                                    C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02687ff429634d30b.exe
                                    6⤵
                                    • Executes dropped EXE
                                    PID:2960
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Sun02d50deb5f.exe
                                4⤵
                                • Loads dropped DLL
                                PID:832
                                • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02d50deb5f.exe
                                  Sun02d50deb5f.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1924
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c Sun02158c4429642.exe
                                4⤵
                                • Loads dropped DLL
                                PID:844
                                • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02158c4429642.exe
                                  Sun02158c4429642.exe
                                  5⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  PID:792
                                  • C:\Users\Admin\Pictures\Adobe Films\EtSbfR5GHuefNhYTDKtiBniK.exe
                                    "C:\Users\Admin\Pictures\Adobe Films\EtSbfR5GHuefNhYTDKtiBniK.exe"
                                    6⤵
                                      PID:1412
                                    • C:\Windows\SysWOW64\WerFault.exe
                                      C:\Windows\SysWOW64\WerFault.exe -u -p 792 -s 992
                                      6⤵
                                      • Program crash
                                      PID:2508
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c Sun02466441087bfc9.exe
                                  4⤵
                                  • Loads dropped DLL
                                  PID:992
                                  • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02466441087bfc9.exe
                                    Sun02466441087bfc9.exe
                                    5⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    PID:1228
                                    • C:\Users\Admin\Pictures\Adobe Films\EtSbfR5GHuefNhYTDKtiBniK.exe
                                      "C:\Users\Admin\Pictures\Adobe Films\EtSbfR5GHuefNhYTDKtiBniK.exe"
                                      6⤵
                                        PID:2732
                                      • C:\Windows\SysWOW64\WerFault.exe
                                        C:\Windows\SysWOW64\WerFault.exe -u -p 1228 -s 1496
                                        6⤵
                                        • Program crash
                                        PID:2748
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c Sun025e2074db2bd693.exe
                                    4⤵
                                    • Loads dropped DLL
                                    PID:1736
                                    • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun025e2074db2bd693.exe
                                      Sun025e2074db2bd693.exe
                                      5⤵
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1264
                                      • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun025e2074db2bd693.exe
                                        C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun025e2074db2bd693.exe
                                        6⤵
                                          PID:2944
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c Sun02a326084de0.exe
                                      4⤵
                                      • Loads dropped DLL
                                      PID:1564
                                      • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02a326084de0.exe
                                        Sun02a326084de0.exe
                                        5⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        PID:1624
                                        • C:\Windows\SysWOW64\control.exe
                                          "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\LBFPVwUW.cpl",
                                          6⤵
                                            PID:2252
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c Sun02989ef95cb95.exe
                                        4⤵
                                        • Loads dropped DLL
                                        PID:1772
                                        • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02989ef95cb95.exe
                                          Sun02989ef95cb95.exe
                                          5⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Modifies system certificate store
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:1232
                                          • C:\Windows\SysWOW64\cmd.exe
                                            cmd.exe /c taskkill /f /im chrome.exe
                                            6⤵
                                              PID:2768
                                              • C:\Windows\SysWOW64\taskkill.exe
                                                taskkill /f /im chrome.exe
                                                7⤵
                                                • Kills process with taskkill
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:2844
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Sun02dc04e4fb5564a.exe
                                          4⤵
                                          • Loads dropped DLL
                                          PID:1776
                                          • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02dc04e4fb5564a.exe
                                            Sun02dc04e4fb5564a.exe
                                            5⤵
                                            • Executes dropped EXE
                                            PID:1072
                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /CookiesFile "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cookies" /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              6⤵
                                              • Executes dropped EXE
                                              PID:1196
                                            • C:\Users\Admin\AppData\Local\Temp\11111.exe
                                              C:\Users\Admin\AppData\Local\Temp\11111.exe /stab C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                              6⤵
                                              • Executes dropped EXE
                                              PID:2296
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Sun02b54c9f5924cbd3f.exe
                                          4⤵
                                          • Loads dropped DLL
                                          PID:1724
                                          • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02b54c9f5924cbd3f.exe
                                            Sun02b54c9f5924cbd3f.exe
                                            5⤵
                                            • Executes dropped EXE
                                            PID:1728
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c Sun02b9c2ca0dbf.exe /mixtwo
                                          4⤵
                                          • Loads dropped DLL
                                          PID:1932
                                          • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02b9c2ca0dbf.exe
                                            Sun02b9c2ca0dbf.exe /mixtwo
                                            5⤵
                                            • Executes dropped EXE
                                            • Loads dropped DLL
                                            • Suspicious use of SetThreadContext
                                            PID:2028
                                            • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02b9c2ca0dbf.exe
                                              Sun02b9c2ca0dbf.exe /mixtwo
                                              6⤵
                                              • Executes dropped EXE
                                              PID:1060
                                              • C:\Windows\SysWOW64\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /c taskkill /im "Sun02b9c2ca0dbf.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02b9c2ca0dbf.exe" & exit
                                                7⤵
                                                  PID:2460
                                                  • C:\Windows\SysWOW64\taskkill.exe
                                                    taskkill /im "Sun02b9c2ca0dbf.exe" /f
                                                    8⤵
                                                    • Kills process with taskkill
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2520
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sun020570a5cfa553fb.exe
                                            4⤵
                                            • Loads dropped DLL
                                            PID:972
                                            • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun020570a5cfa553fb.exe
                                              Sun020570a5cfa553fb.exe
                                              5⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:1016
                                              • C:\Users\Admin\AppData\Local\Temp\is-ED4V0.tmp\Sun020570a5cfa553fb.tmp
                                                "C:\Users\Admin\AppData\Local\Temp\is-ED4V0.tmp\Sun020570a5cfa553fb.tmp" /SL5="$1015C,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun020570a5cfa553fb.exe"
                                                6⤵
                                                • Executes dropped EXE
                                                PID:1336
                                                • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun020570a5cfa553fb.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun020570a5cfa553fb.exe" /SILENT
                                                  7⤵
                                                  • Executes dropped EXE
                                                  PID:1588
                                                  • C:\Users\Admin\AppData\Local\Temp\is-OQVO0.tmp\Sun020570a5cfa553fb.tmp
                                                    "C:\Users\Admin\AppData\Local\Temp\is-OQVO0.tmp\Sun020570a5cfa553fb.tmp" /SL5="$20154,870426,780800,C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun020570a5cfa553fb.exe" /SILENT
                                                    8⤵
                                                    • Executes dropped EXE
                                                    PID:2080
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sun02bca234bb37c.exe
                                            4⤵
                                            • Loads dropped DLL
                                            PID:332
                                            • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun02bca234bb37c.exe
                                              Sun02bca234bb37c.exe
                                              5⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Checks SCSI registry key(s)
                                              • Suspicious behavior: EnumeratesProcesses
                                              • Suspicious behavior: MapViewOfSection
                                              PID:1208
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sun0289a4802fe9c10.exe
                                            4⤵
                                            • Loads dropped DLL
                                            PID:548
                                            • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun0289a4802fe9c10.exe
                                              Sun0289a4802fe9c10.exe
                                              5⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:736
                                              • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun0289a4802fe9c10.exe
                                                "C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun0289a4802fe9c10.exe" -u
                                                6⤵
                                                • Executes dropped EXE
                                                PID:1744
                                          • C:\Windows\SysWOW64\cmd.exe
                                            C:\Windows\system32\cmd.exe /c Sun020a58adf7e2118f.exe
                                            4⤵
                                            • Loads dropped DLL
                                            PID:1156
                                            • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun020a58adf7e2118f.exe
                                              Sun020a58adf7e2118f.exe
                                              5⤵
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              PID:1460
                                              • C:\Windows\SysWOW64\control.exe
                                                "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\CCPKJ.CPl",
                                                6⤵
                                                  PID:2332
                                                  • C:\Windows\SysWOW64\rundll32.exe
                                                    "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\CCPKJ.CPl",
                                                    7⤵
                                                      PID:2400
                                                      • C:\Windows\system32\RunDll32.exe
                                                        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\CCPKJ.CPl",
                                                        8⤵
                                                          PID:1868
                                                          • C:\Windows\SysWOW64\rundll32.exe
                                                            "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\CCPKJ.CPl",
                                                            9⤵
                                                              PID:2756
                                                  • C:\Windows\SysWOW64\cmd.exe
                                                    C:\Windows\system32\cmd.exe /c Sun0258a3bfb9448.exe
                                                    4⤵
                                                    • Loads dropped DLL
                                                    PID:1160
                                                    • C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun0258a3bfb9448.exe
                                                      Sun0258a3bfb9448.exe
                                                      5⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      PID:1560
                                                      • C:\Windows\SysWOW64\cmd.exe
                                                        "C:\Windows\System32\cmd.exe" /c taskkill /im Sun0258a3bfb9448.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7zS0A6E6426\Sun0258a3bfb9448.exe" & del C:\ProgramData\*.dll & exit
                                                        6⤵
                                                          PID:2592
                                                          • C:\Windows\SysWOW64\taskkill.exe
                                                            taskkill /im Sun0258a3bfb9448.exe /f
                                                            7⤵
                                                            • Kills process with taskkill
                                                            PID:1596
                                                          • C:\Windows\SysWOW64\timeout.exe
                                                            timeout /t 6
                                                            7⤵
                                                            • Delays execution with timeout.exe
                                                            PID:2552
                                              • C:\Windows\SysWOW64\rundll32.exe
                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                1⤵
                                                • Modifies registry class
                                                • Suspicious use of AdjustPrivilegeToken
                                                PID:1568
                                              • C:\Windows\system32\rundll32.exe
                                                rundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:1136

                                              Network

                                                    MITRE ATT&CK Enterprise v6

                                                    Replay Monitor

                                                    Loading Replay Monitor...

                                                    Downloads

                                                    • memory/668-83-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                      Filesize

                                                      572KB

                                                    • memory/668-97-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                      Filesize

                                                      152KB

                                                    • memory/668-92-0x0000000064940000-0x0000000064959000-memory.dmp

                                                      Filesize

                                                      100KB

                                                    • memory/668-95-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                      Filesize

                                                      572KB

                                                    • memory/668-96-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                      Filesize

                                                      1.5MB

                                                    • memory/668-84-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                      Filesize

                                                      572KB

                                                    • memory/668-89-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                      Filesize

                                                      1.5MB

                                                    • memory/668-85-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                      Filesize

                                                      572KB

                                                    • memory/668-88-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                      Filesize

                                                      1.5MB

                                                    • memory/668-86-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                      Filesize

                                                      1.5MB

                                                    • memory/668-90-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                      Filesize

                                                      152KB

                                                    • memory/668-91-0x0000000064940000-0x0000000064959000-memory.dmp

                                                      Filesize

                                                      100KB

                                                    • memory/668-87-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                      Filesize

                                                      1.5MB

                                                    • memory/668-93-0x0000000064940000-0x0000000064959000-memory.dmp

                                                      Filesize

                                                      100KB

                                                    • memory/668-94-0x0000000064940000-0x0000000064959000-memory.dmp

                                                      Filesize

                                                      100KB

                                                    • memory/792-304-0x00000000041B0000-0x00000000042FE000-memory.dmp

                                                      Filesize

                                                      1.3MB

                                                    • memory/864-294-0x00000000025B0000-0x0000000002622000-memory.dmp

                                                      Filesize

                                                      456KB

                                                    • memory/864-292-0x0000000000940000-0x000000000098D000-memory.dmp

                                                      Filesize

                                                      308KB

                                                    • memory/912-259-0x0000000001DF0000-0x0000000002A3A000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                    • memory/912-255-0x0000000001DF0000-0x0000000002A3A000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                    • memory/944-54-0x0000000075601000-0x0000000075603000-memory.dmp

                                                      Filesize

                                                      8KB

                                                    • memory/948-334-0x00000000004F0000-0x0000000000535000-memory.dmp

                                                      Filesize

                                                      276KB

                                                    • memory/1016-212-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                      Filesize

                                                      816KB

                                                    • memory/1060-197-0x0000000000400000-0x0000000000450000-memory.dmp

                                                      Filesize

                                                      320KB

                                                    • memory/1060-196-0x0000000000400000-0x0000000000450000-memory.dmp

                                                      Filesize

                                                      320KB

                                                    • memory/1060-236-0x0000000000400000-0x0000000000450000-memory.dmp

                                                      Filesize

                                                      320KB

                                                    • memory/1064-222-0x0000000001140000-0x0000000001141000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1064-270-0x000000001B020000-0x000000001B022000-memory.dmp

                                                      Filesize

                                                      8KB

                                                    • memory/1196-233-0x0000000000400000-0x0000000000455000-memory.dmp

                                                      Filesize

                                                      340KB

                                                    • memory/1208-241-0x0000000000400000-0x00000000004CA000-memory.dmp

                                                      Filesize

                                                      808KB

                                                    • memory/1208-238-0x0000000000250000-0x0000000000259000-memory.dmp

                                                      Filesize

                                                      36KB

                                                    • memory/1228-302-0x0000000003ED0000-0x000000000401E000-memory.dmp

                                                      Filesize

                                                      1.3MB

                                                    • memory/1264-261-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1264-262-0x0000000000220000-0x0000000000221000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1264-204-0x0000000001120000-0x0000000001121000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1336-226-0x0000000000260000-0x0000000000261000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1384-246-0x00000000029F0000-0x0000000002A06000-memory.dmp

                                                      Filesize

                                                      88KB

                                                    • memory/1464-258-0x0000000001F60000-0x0000000002BAA000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                    • memory/1464-247-0x0000000001F60000-0x0000000002BAA000-memory.dmp

                                                      Filesize

                                                      12.3MB

                                                    • memory/1560-240-0x0000000002060000-0x0000000002139000-memory.dmp

                                                      Filesize

                                                      868KB

                                                    • memory/1560-242-0x0000000000400000-0x0000000000536000-memory.dmp

                                                      Filesize

                                                      1.2MB

                                                    • memory/1568-290-0x0000000000250000-0x00000000002AD000-memory.dmp

                                                      Filesize

                                                      372KB

                                                    • memory/1568-288-0x0000000001E10000-0x0000000001F11000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                    • memory/1588-235-0x0000000000400000-0x00000000004CC000-memory.dmp

                                                      Filesize

                                                      816KB

                                                    • memory/1596-205-0x00000000011D0000-0x00000000011D1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1596-264-0x0000000000230000-0x00000000002BC000-memory.dmp

                                                      Filesize

                                                      560KB

                                                    • memory/1596-263-0x00000000008F0000-0x00000000008F1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/1924-269-0x000000001B260000-0x000000001B262000-memory.dmp

                                                      Filesize

                                                      8KB

                                                    • memory/1924-223-0x0000000000F00000-0x0000000000F01000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2080-245-0x0000000000280000-0x0000000000281000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2320-386-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2320-388-0x000000002DA20000-0x000000002DAD5000-memory.dmp

                                                      Filesize

                                                      724KB

                                                    • memory/2320-387-0x000000002D8A0000-0x000000002D957000-memory.dmp

                                                      Filesize

                                                      732KB

                                                    • memory/2400-274-0x0000000000190000-0x0000000000191000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2400-278-0x000000002D760000-0x000000002D819000-memory.dmp

                                                      Filesize

                                                      740KB

                                                    • memory/2400-279-0x000000002D8E0000-0x000000002D998000-memory.dmp

                                                      Filesize

                                                      736KB

                                                    • memory/2436-347-0x0000000000980000-0x00000000009C5000-memory.dmp

                                                      Filesize

                                                      276KB

                                                    • memory/2496-368-0x000000001AF60000-0x000000001AF62000-memory.dmp

                                                      Filesize

                                                      8KB

                                                    • memory/2528-299-0x0000000000190000-0x0000000000202000-memory.dmp

                                                      Filesize

                                                      456KB

                                                    • memory/2528-379-0x0000000002030000-0x0000000002059000-memory.dmp

                                                      Filesize

                                                      164KB

                                                    • memory/2528-380-0x0000000003420000-0x0000000003525000-memory.dmp

                                                      Filesize

                                                      1.0MB

                                                    • memory/2528-378-0x0000000001CC0000-0x0000000001CDB000-memory.dmp

                                                      Filesize

                                                      108KB

                                                    • memory/2748-384-0x00000000002E0000-0x00000000002E1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2756-317-0x00000000001D0000-0x00000000001D1000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2860-369-0x0000000001250000-0x0000000001251000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2944-325-0x0000000004C50000-0x0000000004C51000-memory.dmp

                                                      Filesize

                                                      4KB

                                                    • memory/2960-324-0x0000000004C30000-0x0000000004C31000-memory.dmp

                                                      Filesize

                                                      4KB