Analysis
-
max time kernel
146s -
max time network
153s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
25/12/2021, 19:11
Static task
static1
Behavioral task
behavioral1
Sample
819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe
Resource
win7-en-20211208
General
-
Target
819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe
-
Size
6.2MB
-
MD5
034469917307c8de1a984ac9fb025166
-
SHA1
a5ad1cb9bdbe68d25d4809e86abc1f8717e5582e
-
SHA256
819c9d8c88fc1ffbfeae1797646f7b90f930fef4dae513fe8e43fad3bf475bf0
-
SHA512
f965845a9ee4eb187dd909bc1210e4239b8748f41976ef0dfa9523dedf58c673985cb202ea79402446fe50247cd683a95cfc8c48c1720fe887469bf6195ebaf4
Malware Config
Extracted
socelars
http://www.iyiqian.com/
http://www.hbgents.top/
http://www.rsnzhy.com/
http://www.znsjis.top/
Extracted
redline
matthew2009
213.166.69.181:64650
Extracted
redline
ANI
45.142.215.47:27643
Extracted
vidar
41
706
https://mas.to/@killern0
-
profile_id
706
Extracted
smokeloader
2020
http://govsurplusstore.com/upload/
http://best-forsale.com/upload/
http://chmxnautoparts.com/upload/
http://kwazone.com/upload/
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 14 IoCs
resource yara_rule behavioral1/memory/1164-216-0x0000000000B20000-0x0000000001182000-memory.dmp family_redline behavioral1/memory/1164-217-0x0000000000B20000-0x0000000001182000-memory.dmp family_redline behavioral1/memory/2072-228-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2072-230-0x000000000041C5FA-mapping.dmp family_redline behavioral1/memory/2072-229-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2072-232-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2072-233-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2072-227-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2196-244-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2196-245-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2196-246-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2196-247-0x000000000041C5CA-mapping.dmp family_redline behavioral1/memory/2196-249-0x0000000000400000-0x0000000000422000-memory.dmp family_redline behavioral1/memory/2196-250-0x0000000000400000-0x0000000000422000-memory.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 3 IoCs
resource yara_rule behavioral1/files/0x000600000001321e-111.dat family_socelars behavioral1/files/0x000600000001321e-159.dat family_socelars behavioral1/files/0x000600000001321e-146.dat family_socelars -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Vidar Stealer 2 IoCs
resource yara_rule behavioral1/memory/1800-251-0x0000000001F80000-0x0000000002054000-memory.dmp family_vidar behavioral1/memory/1800-255-0x0000000000400000-0x0000000000517000-memory.dmp family_vidar -
resource yara_rule behavioral1/files/0x0006000000012608-70.dat aspack_v212_v242 behavioral1/files/0x0006000000012608-71.dat aspack_v212_v242 behavioral1/files/0x0008000000012284-72.dat aspack_v212_v242 behavioral1/files/0x0008000000012284-73.dat aspack_v212_v242 behavioral1/files/0x000600000001262d-76.dat aspack_v212_v242 behavioral1/files/0x000600000001262d-77.dat aspack_v212_v242 -
Executes dropped EXE 20 IoCs
pid Process 524 setup_installer.exe 1488 setup_install.exe 1648 Thu1333d0a5c4.exe 1732 Thu13a7cef837ebe31b.exe 1984 Thu132d3beffccd.exe 1496 Thu135c06033a9903.exe 1656 Thu139a4667a4bcc.exe 856 Thu131b8cfbf6991de.exe 788 Thu13c4f61c88e.exe 1568 Thu137fba5c145.exe 1136 Thu13b4c97dc09be.exe 1484 Thu135c06033a9903.tmp 672 Thu131d30b4ff3be.exe 1164 Thu13057255b6f0.exe 1752 Thu13e038722ba1359cc.exe 900 Thu1357848a7d8b.exe 1800 Thu1331399915bc.exe 2080 Thu137fba5c145.exe 2072 Thu132d3beffccd.exe 2196 Thu137fba5c145.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Thu13057255b6f0.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Thu13057255b6f0.exe -
Loads dropped DLL 64 IoCs
pid Process 856 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 524 setup_installer.exe 524 setup_installer.exe 524 setup_installer.exe 524 setup_installer.exe 524 setup_installer.exe 524 setup_installer.exe 1488 setup_install.exe 1488 setup_install.exe 1488 setup_install.exe 1488 setup_install.exe 1488 setup_install.exe 1488 setup_install.exe 1488 setup_install.exe 1488 setup_install.exe 1332 cmd.exe 2004 cmd.exe 1736 cmd.exe 1736 cmd.exe 1648 Thu1333d0a5c4.exe 1648 Thu1333d0a5c4.exe 1732 Thu13a7cef837ebe31b.exe 1732 Thu13a7cef837ebe31b.exe 1696 cmd.exe 980 cmd.exe 1984 Thu132d3beffccd.exe 1984 Thu132d3beffccd.exe 1720 cmd.exe 1720 cmd.exe 1496 Thu135c06033a9903.exe 1496 Thu135c06033a9903.exe 1748 cmd.exe 1748 cmd.exe 1068 cmd.exe 1068 cmd.exe 760 cmd.exe 1496 Thu135c06033a9903.exe 856 Thu131b8cfbf6991de.exe 1996 cmd.exe 856 Thu131b8cfbf6991de.exe 1996 cmd.exe 1568 Thu137fba5c145.exe 1568 Thu137fba5c145.exe 1480 cmd.exe 1656 Thu139a4667a4bcc.exe 1656 Thu139a4667a4bcc.exe 1744 cmd.exe 672 Thu131d30b4ff3be.exe 672 Thu131d30b4ff3be.exe 1164 Thu13057255b6f0.exe 1164 Thu13057255b6f0.exe 1932 cmd.exe 432 cmd.exe 432 cmd.exe 1800 Thu1331399915bc.exe 1800 Thu1331399915bc.exe 1168 WerFault.exe 1168 WerFault.exe 1168 WerFault.exe 1484 Thu135c06033a9903.tmp 1484 Thu135c06033a9903.tmp 1484 Thu135c06033a9903.tmp 1984 Thu132d3beffccd.exe 1568 Thu137fba5c145.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/files/0x0006000000012665-153.dat themida behavioral1/memory/1164-216-0x0000000000B20000-0x0000000001182000-memory.dmp themida behavioral1/memory/1164-217-0x0000000000B20000-0x0000000001182000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Thu13057255b6f0.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 8 ip-api.com 81 ipinfo.io 82 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1164 Thu13057255b6f0.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1984 set thread context of 2072 1984 Thu132d3beffccd.exe 63 PID 1568 set thread context of 2196 1568 Thu137fba5c145.exe 66 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
pid pid_target Process procid_target 1168 1488 WerFault.exe 28 2460 1656 WerFault.exe 55 2712 1800 WerFault.exe 54 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu131d30b4ff3be.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu131d30b4ff3be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Thu131d30b4ff3be.exe -
Kills process with taskkill 1 IoCs
pid Process 2332 taskkill.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Thu139a4667a4bcc.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Thu139a4667a4bcc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1164 Thu13057255b6f0.exe 1168 WerFault.exe 1168 WerFault.exe 1168 WerFault.exe 1168 WerFault.exe 1168 WerFault.exe 1168 WerFault.exe 1168 WerFault.exe 1604 powershell.exe 672 Thu131d30b4ff3be.exe 672 Thu131d30b4ff3be.exe 2460 WerFault.exe 2460 WerFault.exe 2460 WerFault.exe 2460 WerFault.exe 2460 WerFault.exe 2460 WerFault.exe 2460 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 2712 WerFault.exe 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found 1416 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 856 Thu131b8cfbf6991de.exe 1168 WerFault.exe 2460 WerFault.exe 2712 WerFault.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 672 Thu131d30b4ff3be.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
description pid Process Token: SeCreateTokenPrivilege 1656 Thu139a4667a4bcc.exe Token: SeAssignPrimaryTokenPrivilege 1656 Thu139a4667a4bcc.exe Token: SeLockMemoryPrivilege 1656 Thu139a4667a4bcc.exe Token: SeIncreaseQuotaPrivilege 1656 Thu139a4667a4bcc.exe Token: SeMachineAccountPrivilege 1656 Thu139a4667a4bcc.exe Token: SeTcbPrivilege 1656 Thu139a4667a4bcc.exe Token: SeSecurityPrivilege 1656 Thu139a4667a4bcc.exe Token: SeTakeOwnershipPrivilege 1656 Thu139a4667a4bcc.exe Token: SeLoadDriverPrivilege 1656 Thu139a4667a4bcc.exe Token: SeSystemProfilePrivilege 1656 Thu139a4667a4bcc.exe Token: SeSystemtimePrivilege 1656 Thu139a4667a4bcc.exe Token: SeProfSingleProcessPrivilege 1656 Thu139a4667a4bcc.exe Token: SeIncBasePriorityPrivilege 1656 Thu139a4667a4bcc.exe Token: SeCreatePagefilePrivilege 1656 Thu139a4667a4bcc.exe Token: SeCreatePermanentPrivilege 1656 Thu139a4667a4bcc.exe Token: SeBackupPrivilege 1656 Thu139a4667a4bcc.exe Token: SeRestorePrivilege 1656 Thu139a4667a4bcc.exe Token: SeShutdownPrivilege 1656 Thu139a4667a4bcc.exe Token: SeDebugPrivilege 1656 Thu139a4667a4bcc.exe Token: SeAuditPrivilege 1656 Thu139a4667a4bcc.exe Token: SeSystemEnvironmentPrivilege 1656 Thu139a4667a4bcc.exe Token: SeChangeNotifyPrivilege 1656 Thu139a4667a4bcc.exe Token: SeRemoteShutdownPrivilege 1656 Thu139a4667a4bcc.exe Token: SeUndockPrivilege 1656 Thu139a4667a4bcc.exe Token: SeSyncAgentPrivilege 1656 Thu139a4667a4bcc.exe Token: SeEnableDelegationPrivilege 1656 Thu139a4667a4bcc.exe Token: SeManageVolumePrivilege 1656 Thu139a4667a4bcc.exe Token: SeImpersonatePrivilege 1656 Thu139a4667a4bcc.exe Token: SeCreateGlobalPrivilege 1656 Thu139a4667a4bcc.exe Token: 31 1656 Thu139a4667a4bcc.exe Token: 32 1656 Thu139a4667a4bcc.exe Token: 33 1656 Thu139a4667a4bcc.exe Token: 34 1656 Thu139a4667a4bcc.exe Token: 35 1656 Thu139a4667a4bcc.exe Token: SeDebugPrivilege 1752 Thu13e038722ba1359cc.exe Token: SeDebugPrivilege 1168 WerFault.exe Token: SeDebugPrivilege 900 Thu1357848a7d8b.exe Token: SeDebugPrivilege 1604 powershell.exe Token: SeDebugPrivilege 2332 taskkill.exe Token: SeDebugPrivilege 2460 WerFault.exe Token: SeDebugPrivilege 2712 WerFault.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 856 wrote to memory of 524 856 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 27 PID 856 wrote to memory of 524 856 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 27 PID 856 wrote to memory of 524 856 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 27 PID 856 wrote to memory of 524 856 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 27 PID 856 wrote to memory of 524 856 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 27 PID 856 wrote to memory of 524 856 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 27 PID 856 wrote to memory of 524 856 819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe 27 PID 524 wrote to memory of 1488 524 setup_installer.exe 28 PID 524 wrote to memory of 1488 524 setup_installer.exe 28 PID 524 wrote to memory of 1488 524 setup_installer.exe 28 PID 524 wrote to memory of 1488 524 setup_installer.exe 28 PID 524 wrote to memory of 1488 524 setup_installer.exe 28 PID 524 wrote to memory of 1488 524 setup_installer.exe 28 PID 524 wrote to memory of 1488 524 setup_installer.exe 28 PID 1488 wrote to memory of 1992 1488 setup_install.exe 30 PID 1488 wrote to memory of 1992 1488 setup_install.exe 30 PID 1488 wrote to memory of 1992 1488 setup_install.exe 30 PID 1488 wrote to memory of 1992 1488 setup_install.exe 30 PID 1488 wrote to memory of 1992 1488 setup_install.exe 30 PID 1488 wrote to memory of 1992 1488 setup_install.exe 30 PID 1488 wrote to memory of 1992 1488 setup_install.exe 30 PID 1488 wrote to memory of 2004 1488 setup_install.exe 31 PID 1488 wrote to memory of 2004 1488 setup_install.exe 31 PID 1488 wrote to memory of 2004 1488 setup_install.exe 31 PID 1488 wrote to memory of 2004 1488 setup_install.exe 31 PID 1488 wrote to memory of 2004 1488 setup_install.exe 31 PID 1488 wrote to memory of 2004 1488 setup_install.exe 31 PID 1488 wrote to memory of 2004 1488 setup_install.exe 31 PID 1488 wrote to memory of 1332 1488 setup_install.exe 32 PID 1488 wrote to memory of 1332 1488 setup_install.exe 32 PID 1488 wrote to memory of 1332 1488 setup_install.exe 32 PID 1488 wrote to memory of 1332 1488 setup_install.exe 32 PID 1488 wrote to memory of 1332 1488 setup_install.exe 32 PID 1488 wrote to memory of 1332 1488 setup_install.exe 32 PID 1488 wrote to memory of 1332 1488 setup_install.exe 32 PID 1488 wrote to memory of 1736 1488 setup_install.exe 33 PID 1488 wrote to memory of 1736 1488 setup_install.exe 33 PID 1488 wrote to memory of 1736 1488 setup_install.exe 33 PID 1488 wrote to memory of 1736 1488 setup_install.exe 33 PID 1488 wrote to memory of 1736 1488 setup_install.exe 33 PID 1488 wrote to memory of 1736 1488 setup_install.exe 33 PID 1488 wrote to memory of 1736 1488 setup_install.exe 33 PID 1488 wrote to memory of 1696 1488 setup_install.exe 61 PID 1488 wrote to memory of 1696 1488 setup_install.exe 61 PID 1488 wrote to memory of 1696 1488 setup_install.exe 61 PID 1488 wrote to memory of 1696 1488 setup_install.exe 61 PID 1488 wrote to memory of 1696 1488 setup_install.exe 61 PID 1488 wrote to memory of 1696 1488 setup_install.exe 61 PID 1488 wrote to memory of 1696 1488 setup_install.exe 61 PID 1332 wrote to memory of 1648 1332 cmd.exe 35 PID 1332 wrote to memory of 1648 1332 cmd.exe 35 PID 1332 wrote to memory of 1648 1332 cmd.exe 35 PID 1332 wrote to memory of 1648 1332 cmd.exe 35 PID 1332 wrote to memory of 1648 1332 cmd.exe 35 PID 1332 wrote to memory of 1648 1332 cmd.exe 35 PID 1332 wrote to memory of 1648 1332 cmd.exe 35 PID 1488 wrote to memory of 980 1488 setup_install.exe 34 PID 1488 wrote to memory of 980 1488 setup_install.exe 34 PID 1488 wrote to memory of 980 1488 setup_install.exe 34 PID 1488 wrote to memory of 980 1488 setup_install.exe 34 PID 1488 wrote to memory of 980 1488 setup_install.exe 34 PID 1488 wrote to memory of 980 1488 setup_install.exe 34 PID 1488 wrote to memory of 980 1488 setup_install.exe 34 PID 1488 wrote to memory of 1720 1488 setup_install.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe"C:\Users\Admin\AppData\Local\Temp\819C9D8C88FC1FFBFEAE1797646F7B90F930FEF4DAE51.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:524 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵PID:1992
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13a7cef837ebe31b.exe4⤵
- Loads dropped DLL
PID:2004 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu13a7cef837ebe31b.exeThu13a7cef837ebe31b.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1333d0a5c4.exe4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu1333d0a5c4.exeThu1333d0a5c4.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu132d3beffccd.exe4⤵
- Loads dropped DLL
PID:1736 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu132d3beffccd.exeThu132d3beffccd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1984 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu132d3beffccd.exeC:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu132d3beffccd.exe6⤵
- Executes dropped EXE
PID:2072
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu139a4667a4bcc.exe4⤵
- Loads dropped DLL
PID:980 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu139a4667a4bcc.exeThu139a4667a4bcc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1656 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2284
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1656 -s 14406⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2460
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu131b8cfbf6991de.exe /mixone4⤵
- Loads dropped DLL
PID:1720 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu131b8cfbf6991de.exeThu131b8cfbf6991de.exe /mixone5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
PID:856
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu137fba5c145.exe4⤵
- Loads dropped DLL
PID:1068 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu137fba5c145.exeThu137fba5c145.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:1568 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu137fba5c145.exeC:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu137fba5c145.exe6⤵
- Executes dropped EXE
PID:2080
-
-
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu137fba5c145.exeC:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu137fba5c145.exe6⤵
- Executes dropped EXE
PID:2196
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13c4f61c88e.exe4⤵
- Loads dropped DLL
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu13c4f61c88e.exeThu13c4f61c88e.exe5⤵
- Executes dropped EXE
PID:788
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13057255b6f0.exe4⤵
- Loads dropped DLL
PID:1480 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu13057255b6f0.exeThu13057255b6f0.exe5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:1164
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13b4c97dc09be.exe4⤵
- Loads dropped DLL
PID:760 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu13b4c97dc09be.exeThu13b4c97dc09be.exe5⤵
- Executes dropped EXE
PID:1136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1331399915bc.exe4⤵
- Loads dropped DLL
PID:432 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu1331399915bc.exeThu1331399915bc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 13686⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2712
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu131d30b4ff3be.exe4⤵
- Loads dropped DLL
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu131d30b4ff3be.exeThu131d30b4ff3be.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu13e038722ba1359cc.exe4⤵
- Loads dropped DLL
PID:1744 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu13e038722ba1359cc.exeThu13e038722ba1359cc.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu1357848a7d8b.exe4⤵
- Loads dropped DLL
PID:1932 -
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu1357848a7d8b.exeThu1357848a7d8b.exe5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:900
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 4724⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1168
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Thu135c06033a9903.exe4⤵
- Loads dropped DLL
PID:1696
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\is-S2MR3.tmp\Thu135c06033a9903.tmp"C:\Users\Admin\AppData\Local\Temp\is-S2MR3.tmp\Thu135c06033a9903.tmp" /SL5="$A0154,506086,422400,C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu135c06033a9903.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484
-
C:\Users\Admin\AppData\Local\Temp\7zSC021EBD5\Thu135c06033a9903.exeThu135c06033a9903.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496
Network
MITRE ATT&CK Enterprise v6
Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
2Virtualization/Sandbox Evasion
1Web Service
1