redline | fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9

Analysis

max time kernel
144s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26-05-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9.exe
Size

7.3MB
MD5

5c95d5493dda877b228a6485a6d40d9c
SHA1

185482dabc06787f6ce14c6cd46c17372a1b77ae
SHA256

fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9
SHA512

05334c39be051eb33c0ad4787cd8d56a1386115bf809f2ec44088f719ab5bf3caf8e7a4539cb5d10b60bc5452b98d01656332b7e5c608038aeae73bd88b16e24
SSDEEP

196608:0qw9h20Qu0lFIutULgNr8cQ6P/qrFfDG2HD14LDsYu67ReBR:w2FIutULgS7rlDvDSI6cz

Score

10^/10

redline sectoprat discovery evasion infostealer rat spyware stealer themida trojan

Malware Config

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2136-69-0x00000000012A0000-0x0000000001AFC000-memory.dmp	family_sectoprat
behavioral1/memory/2136-70-0x00000000012A0000-0x0000000001AFC000-memory.dmp	family_sectoprat
behavioral1/memory/2136-233-0x00000000012A0000-0x0000000001AFC000-memory.dmp	family_sectoprat

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2136-69-0x00000000012A0000-0x0000000001AFC000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2136-70-0x00000000012A0000-0x0000000001AFC000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2136-233-0x00000000012A0000-0x0000000001AFC000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects Windows executables referencing non-Windows User-Agents 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2720-35-0x0000000000110000-0x0000000000A18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2720-36-0x0000000000110000-0x0000000000A18000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects executables packed with Themida 7 IoCs

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3.exe	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2720-35-0x0000000000110000-0x0000000000A18000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2720-36-0x0000000000110000-0x0000000000A18000-memory.dmp	INDICATOR_EXE_Packed_Themida
\Users\Admin\AppData\Local\Temp\r.exe	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2136-69-0x00000000012A0000-0x0000000001AFC000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2136-70-0x00000000012A0000-0x0000000001AFC000-memory.dmp	INDICATOR_EXE_Packed_Themida
behavioral1/memory/2136-233-0x00000000012A0000-0x0000000001AFC000-memory.dmp	INDICATOR_EXE_Packed_Themida

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

3.exer.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 3.exe
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ r.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	r.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3.exer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	r.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	r.exe

Executes dropped EXE 4 IoCs

Processes:

4.exe3.exezcjszx.exer.exe

pid process

2532 4.exe
2720 3.exe
644 zcjszx.exe
2136 r.exe
Loads dropped DLL 9 IoCs

Processes:

4.exe3.exezcjszx.exe

pid process

2532 4.exe
2532 4.exe
2532 4.exe
2532 4.exe
2720 3.exe
644 zcjszx.exe
644 zcjszx.exe
644 zcjszx.exe
644 zcjszx.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2532	4.exe
2720	3.exe
644	zcjszx.exe
2136	r.exe

pid	process
2532	4.exe
2532	4.exe
2532	4.exe
2532	4.exe
2720	3.exe
644	zcjszx.exe
644	zcjszx.exe
644	zcjszx.exe
644	zcjszx.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\3.exe	themida
behavioral1/memory/2720-35-0x0000000000110000-0x0000000000A18000-memory.dmp	themida
behavioral1/memory/2720-36-0x0000000000110000-0x0000000000A18000-memory.dmp	themida
\Users\Admin\AppData\Local\Temp\r.exe	themida
behavioral1/memory/2136-69-0x00000000012A0000-0x0000000001AFC000-memory.dmp	themida
behavioral1/memory/2136-70-0x00000000012A0000-0x0000000001AFC000-memory.dmp	themida
behavioral1/memory/2136-233-0x00000000012A0000-0x0000000001AFC000-memory.dmp	themida

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

3.exer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	r.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

3.exer.exe

pid process

2720 3.exe
2136 r.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2720	3.exe
2136	r.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

r.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	r.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	r.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	r.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

r.exe

pid process

2136 r.exe
2136 r.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3.exer.exe

description pid process

Token: SeDebugPrivilege 2720 3.exe
Token: SeDebugPrivilege 2136 r.exe

pid	process
2136	r.exe
2136	r.exe

description	pid	process
Token: SeDebugPrivilege	2720	3.exe
Token: SeDebugPrivilege	2136	r.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9.exe4.exe3.exezcjszx.exe

description	pid	process	target process
PID 1284 wrote to memory of 2532	1284	fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9.exe	4.exe
PID 1284 wrote to memory of 2532	1284	fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9.exe	4.exe
PID 1284 wrote to memory of 2532	1284	fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9.exe	4.exe
PID 1284 wrote to memory of 2532	1284	fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9.exe	4.exe
PID 2532 wrote to memory of 2720	2532	4.exe	3.exe
PID 2532 wrote to memory of 2720	2532	4.exe	3.exe
PID 2532 wrote to memory of 2720	2532	4.exe	3.exe
PID 2532 wrote to memory of 2720	2532	4.exe	3.exe
PID 2720 wrote to memory of 644	2720	3.exe	zcjszx.exe
PID 2720 wrote to memory of 644	2720	3.exe	zcjszx.exe
PID 2720 wrote to memory of 644	2720	3.exe	zcjszx.exe
PID 2720 wrote to memory of 644	2720	3.exe	zcjszx.exe
PID 644 wrote to memory of 2136	644	zcjszx.exe	r.exe
PID 644 wrote to memory of 2136	644	zcjszx.exe	r.exe
PID 644 wrote to memory of 2136	644	zcjszx.exe	r.exe
PID 644 wrote to memory of 2136	644	zcjszx.exe	r.exe

C:\Users\Admin\AppData\Local\Temp\fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9.exe
"C:\Users\Admin\AppData\Local\Temp\fdb5b2a0041b0939552ecd31e382e28529313c8bc8a656eb7de1cef9fbd6eee9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\4.exe
  "C:\Users\Admin\AppData\Local\Temp\4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\3.exe
    "C:\Users\Admin\AppData\Local\Temp\3.exe"
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\zcjszx.exe
      "C:\Users\Admin\AppData\Local\Temp\zcjszx.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:644
    - - C:\Users\Admin\AppData\Local\Temp\r.exe
        
        "C:\Users\Admin\AppData\Local\Temp\r.exe"
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a7988555ca8979f11d4e15e0c308b7c

SHA1
0a243b7820d3c05a234a89f3b43c59d2bcedcc81

SHA256
8ecc8dff67cd69a11538fde2c689645b64a1d6a1e8ad726cfe2a139bef1f5b55

SHA512
dd510d1d2aa124499ebc54588071e2e6431e60c1d3b12bcd1986f44bdfb642db3e3f590d6b38e878036fa40f12e2140155b922b4b3345cd1a9fd5e6947dc04df

Download Submit
C:\Users\Admin\AppData\Local\Temp\4.exe

Filesize
3.4MB

MD5
d7e09993b21575a255d4ceaf706c205a

SHA1
01b68051ae35e1e12d8827664acdcf2cb9ed3766

SHA256
939f981d4a948e41999d8e1073418edb0c2afc47797ad87e0ecdf7124df7bde0

SHA512
37621af16254f15f273b0e36dff3927c4f40ef594e150c03f0b693443d16a7d6de8bed259a290b8ad9e8fe3d754865b06cdcba8b900722d1eb46487a56ef9d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA1BD.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA398.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADC6.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADFB.tmp

Filesize
92KB

MD5
2157696941ae13875f8dfe8630ea4029

SHA1
b5ff62b7900cdfc630edd94d737309042de58251

SHA256
90e438a9d6706c8a1e809bfb5babe83508cac27d3c9f3f9b8bd1cd4f3aa3e033

SHA512
61b998e42f5d0121f75e04a46177c1c3a7122dc2014b7bed1d584c9ea53146e87d7a6b9e94bde066d92580c6c2b2316dd860980e5cd8f75984286dc90e43fb6a

Download Submit
\Users\Admin\AppData\Local\Temp\3.exe

Filesize
3.1MB

MD5
215f503316c98618dc6db327477fd26f

SHA1
136df5466ff49e2aadb1587e4c94d56175a0085e

SHA256
dbbde79c77cc64c6f42ca0f69e33561b70377626e7db42774679f9d602078cd1

SHA512
7c6a5ee768c8ae75ad9112526fa8de35c214b6de48435097599ab73b4ca072372ebaa8e59da2c734e0e4e2f0fac7187f1ad2a02306625051c7d9147e6d14da22

Download Submit
\Users\Admin\AppData\Local\Temp\r.exe

Filesize
3.2MB

MD5
cf1a74b1e40e5c34df68add35da92129

SHA1
c8faf639d73049f35de385f2c698f6809c1eaa92

SHA256
3196cc360075b773b4ff9a17ee1a53c6ce32476af563a910126fdfc02702f4c0

SHA512
83c3b4c16c2a53f1048c37e90c6ad5025b4e143975622bb0388b32af04b54544aeb3e2415ad7cccc2381471002732deec1f8b96d778efe6315953c495a0ba634

Download Submit
\Users\Admin\AppData\Local\Temp\zcjszx.exe

Filesize
3.5MB

MD5
823f263a3d860454ef8092594ffb7ec0

SHA1
707e4b0e1340a72d200bae4cee0bd2c22b47e1e7

SHA256
e9e391ef56461e970601392db1d9adc8958f1dbc7fb9328d58cfc0601d3c7a3b

SHA512
ccebdb1af101a5a05be7a92797add599bfc565df0849aa404fc1bd5156e02828b7df6713d8ee66144150006e33cc87a9977f827e9e789d09f251925b12ff7a52

Download Submit
memory/644-63-0x0000000003620000-0x0000000003E7C000-memory.dmp

Filesize
8.4MB

Download
memory/644-168-0x0000000003620000-0x0000000003E7C000-memory.dmp

Filesize
8.4MB

Download
memory/1284-12-0x0000000002F60000-0x0000000002F61000-memory.dmp

Filesize
4KB

Download
memory/2136-65-0x00000000012A0000-0x0000000001AFC000-memory.dmp

Filesize
8.4MB

Download
memory/2136-69-0x00000000012A0000-0x0000000001AFC000-memory.dmp

Filesize
8.4MB

Download
memory/2136-70-0x00000000012A0000-0x0000000001AFC000-memory.dmp

Filesize
8.4MB

Download
memory/2136-229-0x00000000012A0000-0x0000000001AFC000-memory.dmp

Filesize
8.4MB

Download
memory/2136-233-0x00000000012A0000-0x0000000001AFC000-memory.dmp

Filesize
8.4MB

Download
memory/2532-29-0x0000000003590000-0x0000000003E98000-memory.dmp

Filesize
9.0MB

Download
memory/2720-38-0x0000000000110000-0x0000000000A18000-memory.dmp

Filesize
9.0MB

Download
memory/2720-36-0x0000000000110000-0x0000000000A18000-memory.dmp

Filesize
9.0MB

Download
memory/2720-35-0x0000000000110000-0x0000000000A18000-memory.dmp

Filesize
9.0MB

Download
memory/2720-30-0x0000000000110000-0x0000000000A18000-memory.dmp

Filesize
9.0MB

Download