Analysis
-
max time kernel
153s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
19-03-2022 18:56
General
-
Target
79f3143ac8ecd0876d303b852620f479.exe
-
Size
229KB
-
MD5
79f3143ac8ecd0876d303b852620f479
-
SHA1
63b39e7cd8afd8a26d3c984d4e6fa2beaa87b9a2
-
SHA256
81ec5293c1be63d2bdb173f258830914b3dfd094159211f1703b4666eeca1cbc
-
SHA512
692e31b7a8b0342262d2d28bf25b0a597884cf62c472c1583b3e924a937eaf0241ba1d1303ae7dd1c8dc4794a3e29f4ac62b8eab3d00ab5be7dfc16e0b2edf0c
Score
10/10
Malware Config
Extracted
Family
vidar
Version
50.9
Botnet
1177
C2
https://ieji.de/@sam7al
https://busshi.moe/@sam0al
Attributes
-
profile_id
1177
Extracted
Family
vidar
Version
50.9
Botnet
937
C2
https://ieji.de/@sam7al
https://busshi.moe/@sam0al
Attributes
-
profile_id
937
Signatures
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 17 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
VKeylogger
A keylogger first seen in Nov 2020.
-
VKeylogger Payload 3 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
-
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
-
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
OnlyLogger Payload 2 IoCs
-
Vidar Stealer 6 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 55 IoCs
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 14 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 16 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 11 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 6 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 2 IoCs
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
-
Enumerates system info in registry 2 TTPs 4 IoCs
-
Kills process with taskkill 3 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 8 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\79f3143ac8ecd0876d303b852620f479.exe"C:\Users\Admin\AppData\Local\Temp\79f3143ac8ecd0876d303b852620f479.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\2sOsIltEH2dGzzqMR0Q5x8wA.exe"C:\Users\Admin\Pictures\Adobe Films\2sOsIltEH2dGzzqMR0Q5x8wA.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\MXCxFj1wVwyBERITQSGVmfnk.exe"C:\Users\Admin\Pictures\Adobe Films\MXCxFj1wVwyBERITQSGVmfnk.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in Program Files directory
-
C:\Users\Admin\Documents\LybSbFkmmvm8Zd1dBzBkDJgO.exe"C:\Users\Admin\Documents\LybSbFkmmvm8Zd1dBzBkDJgO.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies system certificate store
-
C:\Users\Admin\Pictures\Adobe Films\oC6FURFp9vo22ae96LAsAt9w.exe"C:\Users\Admin\Pictures\Adobe Films\oC6FURFp9vo22ae96LAsAt9w.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\QNFR0WBG4nIgJA14raoDC1QB.exe"C:\Users\Admin\Pictures\Adobe Films\QNFR0WBG4nIgJA14raoDC1QB.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 6165⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 6245⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 7205⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4792 -s 8045⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\LnF0jV4f7OsBU5ctDUNRd5lO.exe"C:\Users\Admin\Pictures\Adobe Films\LnF0jV4f7OsBU5ctDUNRd5lO.exe"4⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\VMmqsy5778VIabLDHAp0ObkK.exe"C:\Users\Admin\Pictures\Adobe Films\VMmqsy5778VIabLDHAp0ObkK.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe5⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe6⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\WI6JmkyFVjC79pNukNBursdd.exe"C:\Users\Admin\Pictures\Adobe Films\WI6JmkyFVjC79pNukNBursdd.exe"4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\Pictures\Adobe Films\KW7SkET0cc4X1UgaWMwaJM_F.exe"C:\Users\Admin\Pictures\Adobe Films\KW7SkET0cc4X1UgaWMwaJM_F.exe"4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS87E5.tmp\Install.exe.\Install.exe5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zSA06F.tmp\Install.exe.\Install.exe /S /site_id "525403"6⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:329⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:649⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"7⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&8⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:329⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:649⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gNQhpXtEx" /SC once /ST 01:01:16 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="7⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gNQhpXtEx"7⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gNQhpXtEx"7⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bnHoQpKIlSSCUFQrDN" /SC once /ST 20:06:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qXPJNMcRbBFEeomOU\igHnmwfRSHoqfpr\ssDQEsW.exe\" Sk /site_id 525403 /S" /V1 /F7⤵
- Drops file in Windows directory
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\k1OH4szQtMcHwENW40z2p_8u.exe"C:\Users\Admin\Pictures\Adobe Films\k1OH4szQtMcHwENW40z2p_8u.exe"4⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\pub1.exe"C:\Users\Admin\AppData\Local\Temp\pub1.exe"5⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
-
C:\Users\Admin\AppData\Local\Temp\lilei.exe"C:\Users\Admin\AppData\Local\Temp\lilei.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\lilei.exe"C:\Users\Admin\AppData\Local\Temp\lilei.exe" -h6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"C:\Users\Admin\AppData\Local\Temp\InsigniaCleanerInstall238497.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\8c474140-549c-4da1-9408-f271f6da418d3085912.exe"C:\Users\Admin\AppData\Local\Temp\8c474140-549c-4da1-9408-f271f6da418d3085912.exe"6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\siww1049.exe"C:\Users\Admin\AppData\Local\Temp\siww1049.exe"5⤵
- Executes dropped EXE
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1560 -s 8446⤵
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-T7SC5.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-T7SC5.tmp\setup.tmp" /SL5="$102B2,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\is-7PCSS.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-7PCSS.tmp\setup.tmp" /SL5="$80054,870458,780800,C:\Users\Admin\AppData\Local\Temp\setup.exe" /SILENT8⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inst200.exe"C:\Users\Admin\AppData\Local\Temp\inst200.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\udontsay.exe"C:\Users\Admin\AppData\Local\Temp\udontsay.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"C:\Users\Admin\AppData\Local\Temp\search_hyperfs_213.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -S 6GUEWmWv.OUP6⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\anytime1.exe"C:\Users\Admin\AppData\Local\Temp\anytime1.exe"5⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"6⤵
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\anytime2.exe"C:\Users\Admin\AppData\Local\Temp\anytime2.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\anytime3.exe"C:\Users\Admin\AppData\Local\Temp\anytime3.exe"5⤵
- Executes dropped EXE
-
-
C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"C:\Users\Admin\AppData\Local\Temp\bearvpn3.exe"5⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST3⤵
- Creates scheduled task(s)
-
-
-
C:\Users\Admin\Pictures\Adobe Films\fmm8YfQpz5_C_N9yOEK5pBRh.exe"C:\Users\Admin\Pictures\Adobe Films\fmm8YfQpz5_C_N9yOEK5pBRh.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\explorer.exe"C:\Windows\SysWOW64\explorer.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2704 -s 4523⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\2WtLKR_AxMOSDy8q4f8FxRqr.exe"C:\Users\Admin\Pictures\Adobe Films\2WtLKR_AxMOSDy8q4f8FxRqr.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\8qAhgpDGTLdIEQfmpxwCAlll.exe"C:\Users\Admin\Pictures\Adobe Films\8qAhgpDGTLdIEQfmpxwCAlll.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\Jkj8PO_EQIF1v1BDnk4B03JG.exe"C:\Users\Admin\Pictures\Adobe Films\Jkj8PO_EQIF1v1BDnk4B03JG.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 6803⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 7883⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 8163⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\XdjPbeaoiYCJ1Pl6rf3VC9EL.exe"C:\Users\Admin\Pictures\Adobe Films\XdjPbeaoiYCJ1Pl6rf3VC9EL.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
-
C:\Windows\SysWOW64\svchost.exe"C:\Windows\System32\svchost.exe"3⤵
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla3⤵
-
C:\Windows\SysWOW64\cmd.execmd4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq BullGuardCore.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\find.exefind /I /N "bullguardcore.exe"5⤵
-
-
C:\Windows\SysWOW64\find.exefind /I /N "psuaservice.exe"5⤵
-
-
C:\Windows\SysWOW64\tasklist.exetasklist /FI "imagename eq PSUAService.exe"5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^wtwRMqjYMlcblhfrOaJNpOohYASICCRoGRaYHSofIqwzkvtDhVASceYjWNSjoDvlzhRaVdvWpzypNPwCvgcGwZMDTye$" Hai.xla5⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pifSta.exe.pif V5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pifC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pif6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5216 -s 4487⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\waitfor.exewaitfor /t 5 MsGxuGavEVaQbserVWhrA5⤵
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\3hbnZhx8xEvwWIaRvmgIDohl.exe"C:\Users\Admin\Pictures\Adobe Films\3hbnZhx8xEvwWIaRvmgIDohl.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\DrKF6ZN1YvFu7eQdgZ3bGy4B.exe"C:\Users\Admin\Pictures\Adobe Films\DrKF6ZN1YvFu7eQdgZ3bGy4B.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\2sQ5YRZu8gj8nPv9d3o0vPmL.exe"C:\Users\Admin\Pictures\Adobe Films\2sQ5YRZu8gj8nPv9d3o0vPmL.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\PZgGb7e0HjX6GkW0EKxnrqBN.exe"C:\Users\Admin\Pictures\Adobe Films\PZgGb7e0HjX6GkW0EKxnrqBN.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS239E.tmp\Install.exe.\Install.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\7zS336C.tmp\Install.exe.\Install.exe /S /site_id "525403"4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&6⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:327⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:647⤵
-
-
-
-
C:\Windows\SysWOW64\forfiles.exe"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"5⤵
-
C:\Windows\SysWOW64\cmd.exe/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&6⤵
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:327⤵
-
-
\??\c:\windows\SysWOW64\reg.exeREG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:647⤵
-
-
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "gUGfntTQi" /SC once /ST 00:34:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="5⤵
- Creates scheduled task(s)
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /run /I /tn "gUGfntTQi"5⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /DELETE /F /TN "gUGfntTQi"5⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /TN "bnHoQpKIlSSCUFQrDN" /SC once /ST 20:07:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\qXPJNMcRbBFEeomOU\igHnmwfRSHoqfpr\xVhWyEH.exe\" Sk /site_id 525403 /S" /V1 /F5⤵
- Creates scheduled task(s)
-
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\EJisyTQR8Z8JiOT2DsTM_vda.exe"C:\Users\Admin\Pictures\Adobe Films\EJisyTQR8Z8JiOT2DsTM_vda.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\VJjBaSUkFn9MKU3U_DF4UEoX.exe"C:\Users\Admin\Pictures\Adobe Films\VJjBaSUkFn9MKU3U_DF4UEoX.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\PLhXyFVoXiG0KwIUXn7kAIJV.exe"C:\Users\Admin\Pictures\Adobe Films\PLhXyFVoXiG0KwIUXn7kAIJV.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\vcjYLGPVsDPpsGtVxsI88mk0.exe"C:\Users\Admin\Pictures\Adobe Films\vcjYLGPVsDPpsGtVxsI88mk0.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\s6KYskI_pyascABhvVooC0G8.exe"C:\Users\Admin\Pictures\Adobe Films\s6KYskI_pyascABhvVooC0G8.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\d5p3lJQGVpDAkppBTH0rR4q7.exe"C:\Users\Admin\Pictures\Adobe Films\d5p3lJQGVpDAkppBTH0rR4q7.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\krc5on4IBNinEGpw0OgG2VVI.exe"C:\Users\Admin\Pictures\Adobe Films\krc5on4IBNinEGpw0OgG2VVI.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im krc5on4IBNinEGpw0OgG2VVI.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\krc5on4IBNinEGpw0OgG2VVI.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im krc5on4IBNinEGpw0OgG2VVI.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\OnL0t407pMUl386TLwIfhQoY.exe"C:\Users\Admin\Pictures\Adobe Films\OnL0t407pMUl386TLwIfhQoY.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im OnL0t407pMUl386TLwIfhQoY.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\OnL0t407pMUl386TLwIfhQoY.exe" & del C:\ProgramData\*.dll & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im OnL0t407pMUl386TLwIfhQoY.exe /f4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 64⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\tZsazMtFSa24dDgrWQnBxd1q.exe"C:\Users\Admin\Pictures\Adobe Films\tZsazMtFSa24dDgrWQnBxd1q.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Pictures\Adobe Films\FMZluQTa7cMsxEwDNsrTgauj.exe"C:\Users\Admin\Pictures\Adobe Films\FMZluQTa7cMsxEwDNsrTgauj.exe"2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 396 -ip 3961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2948 -ip 29481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2140 -ip 21401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2292 -ip 22921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2704 -ip 27041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 396 -ip 3961⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2140 -ip 21401⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2948 -ip 29481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2292 -ip 22921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2292 -ip 22921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4792 -ip 47921⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==1⤵
-
C:\Windows\system32\gpupdate.exe"C:\Windows\system32\gpupdate.exe" /force2⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 600 -p 1560 -ip 15601⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 4792 -ip 47921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2292 -ip 22921⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\db.dll",global2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 6003⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 4792 -ip 47921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2292 -ip 22921⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 620 -p 1304 -ip 13041⤵
-
C:\Users\Admin\AppData\Local\Temp\2CC1.exeC:\Users\Admin\AppData\Local\Temp\2CC1.exe1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 4792 -ip 47921⤵
-
C:\Users\Admin\AppData\Local\Temp\55E5.exeC:\Users\Admin\AppData\Local\Temp\55E5.exe1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 5216 -ip 52161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2292 -ip 22921⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\explorer.exeC:\Windows\explorer.exe1⤵
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 668 -p 2292 -ip 22921⤵
Network
MITRE ATT&CK Enterprise v6
Persistence
Modify Existing Service
1Registry Run Keys / Startup Folder
1Scheduled Task
1Defense Evasion
Disabling Security Tools
1Install Root Certificate
1Modify Registry
3Virtualization/Sandbox Evasion
1Web Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.7MB
-
Filesize
1.2MB
-
Filesize
384KB
-
Filesize
8KB
-
Filesize
284KB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
8KB
-
Filesize
6.1MB
-
Filesize
6.1MB
-
Filesize
2.1MB
-
Filesize
280KB
-
Filesize
7.7MB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
548KB
-
Filesize
2.1MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
280KB
-
Filesize
7.7MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
548KB
-
Filesize
4KB
-
Filesize
2.1MB
-
Filesize
1.6MB
-
Filesize
3.8MB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
3.8MB
-
Filesize
280KB
-
Filesize
7.7MB
-
Filesize
3.8MB
-
Filesize
4KB
-
Filesize
548KB
-
Filesize
384KB
-
Filesize
5.7MB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
4KB
-
Filesize
548KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
7.7MB
-
Filesize
284KB
-
Filesize
156KB
-
Filesize
272KB
-
Filesize
556KB
-
Filesize
156KB
-
Filesize
464KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
72KB
-
Filesize
176KB
-
Filesize
228KB
-
Filesize
4KB
-
Filesize
572KB
-
Filesize
7.7MB
-
Filesize
176KB
-
Filesize
384KB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
896KB
-
Filesize
1.7MB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
3.5MB
-
Filesize
2.1MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
280KB
-
Filesize
548KB
-
Filesize
4KB
-
Filesize
156KB
-
Filesize
7.7MB
-
Filesize
1024KB
-
Filesize
564KB
-
Filesize
4KB
-
Filesize
220KB
-
Filesize
76KB
-
Filesize
1.7MB
-
Filesize
432KB
-
Filesize
432KB
-
Filesize
828KB
-
Filesize
688KB