nullmixer | 41ad6f9aaac40ebe7d35ad9caa46ceafed790ca57d7c4e283fa87ce1892a088a

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7468904155157b5f8cd9cb3782686de_JaffaCakes118.exe
Size

3.4MB
MD5

b7468904155157b5f8cd9cb3782686de
SHA1

3b1fa2908150cc6a7d7764ee82ec37755984bba3
SHA256

41ad6f9aaac40ebe7d35ad9caa46ceafed790ca57d7c4e283fa87ce1892a088a
SHA512

185c5beef69986989a4b028b753f9e70ed501f0323bc0106e63f584263a323513ff95b068f7f2a1810a5cabc0526d4e75d06e579c17d8873b708c7fa0f0bae69
SSDEEP

98304:y9SA9IVfu8JcsQ05Dsw5C92bLLl2zgXsjOmpzRTUF6YKK8NSIxu:yafJF+SFRcOs+iK8NSIxu

Score

10^/10

nullmixer privateloader redline sectoprat vidar pub2 aspackv2 discovery dropper execution infostealer loader rat stealer trojan

Malware Config

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

redline

Botnet

pub2

185.92.73.84:80

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4396-149-0x0000000004C20000-0x0000000004C44000-memory.dmp	family_redline
behavioral2/memory/4396-151-0x0000000004E10000-0x0000000004E32000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4396-149-0x0000000004C20000-0x0000000004C44000-memory.dmp	family_sectoprat
behavioral2/memory/4396-151-0x0000000004E10000-0x0000000004E32000-memory.dmp	family_sectoprat

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/1488-157-0x0000000000400000-0x0000000002D16000-memory.dmp	family_vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4172 powershell.exe

pid	process
4172	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\libcurl.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\libstdc++-6.dll	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\libcurlpp.dll	aspack_v212_v242

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b7468904155157b5f8cd9cb3782686de_JaffaCakes118.exesetup_installer.exeTue202c0b0c44.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	b7468904155157b5f8cd9cb3782686de_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	setup_installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	Tue202c0b0c44.exe

Executes dropped EXE 11 IoCs

Processes:

setup_installer.exesetup_install.exeTue202c0b0c44.exeTue206edc34cf4.exeTue200a01e55ccea5b.exeTue20b0ce91e160.exeTue2019d28f9486.exeTue20357017b9f2cf.exeTue206f1d53d40be40.exeTue2073e57b595420b4a.exeTue202c0b0c44.exe

pid	process
1876	setup_installer.exe
4336	setup_install.exe
3772	Tue202c0b0c44.exe
4448	Tue206edc34cf4.exe
1488	Tue200a01e55ccea5b.exe
3944	Tue20b0ce91e160.exe
4396	Tue2019d28f9486.exe
1636	Tue20357017b9f2cf.exe
2524	Tue206f1d53d40be40.exe
752	Tue2073e57b595420b4a.exe
4916	Tue202c0b0c44.exe

Loads dropped DLL 7 IoCs

Processes:

setup_install.exe

pid	process
4336	setup_install.exe
4336	setup_install.exe
4336	setup_install.exe
4336	setup_install.exe
4336	setup_install.exe
4336	setup_install.exe
4336	setup_install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
2520	4336	WerFault.exe	setup_install.exe
1724	4448	WerFault.exe	Tue206edc34cf4.exe
760	1488	WerFault.exe	Tue200a01e55ccea5b.exe
4688	1488	WerFault.exe	Tue200a01e55ccea5b.exe
2812	1488	WerFault.exe	Tue200a01e55ccea5b.exe
3204	1488	WerFault.exe	Tue200a01e55ccea5b.exe
1424	1488	WerFault.exe	Tue200a01e55ccea5b.exe
3112	1488	WerFault.exe	Tue200a01e55ccea5b.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Tue200a01e55ccea5b.execmd.execmd.execmd.execmd.execmd.execmd.exeTue2019d28f9486.exeTue202c0b0c44.exeTue202c0b0c44.exeb7468904155157b5f8cd9cb3782686de_JaffaCakes118.execmd.exeTue206edc34cf4.execmd.exepowershell.exesetup_installer.exesetup_install.execmd.exeTue20357017b9f2cf.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue200a01e55ccea5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue2019d28f9486.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue202c0b0c44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue202c0b0c44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7468904155157b5f8cd9cb3782686de_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue206edc34cf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue20357017b9f2cf.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Tue206edc34cf4.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue206edc34cf4.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue206edc34cf4.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Tue206edc34cf4.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

4172 powershell.exe
4172 powershell.exe
4172 powershell.exe

pid	process
4172	powershell.exe
4172	powershell.exe
4172	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Tue206f1d53d40be40.exepowershell.exeTue2073e57b595420b4a.exe

description	pid	process
Token: SeDebugPrivilege	2524	Tue206f1d53d40be40.exe
Token: SeDebugPrivilege	4172	powershell.exe
Token: SeDebugPrivilege	752	Tue2073e57b595420b4a.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

b7468904155157b5f8cd9cb3782686de_JaffaCakes118.exesetup_installer.exesetup_install.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exeTue202c0b0c44.exe

description	pid	process	target process
PID 2360 wrote to memory of 1876	2360	b7468904155157b5f8cd9cb3782686de_JaffaCakes118.exe	setup_installer.exe
PID 2360 wrote to memory of 1876	2360	b7468904155157b5f8cd9cb3782686de_JaffaCakes118.exe	setup_installer.exe
PID 2360 wrote to memory of 1876	2360	b7468904155157b5f8cd9cb3782686de_JaffaCakes118.exe	setup_installer.exe
PID 1876 wrote to memory of 4336	1876	setup_installer.exe	setup_install.exe
PID 1876 wrote to memory of 4336	1876	setup_installer.exe	setup_install.exe
PID 1876 wrote to memory of 4336	1876	setup_installer.exe	setup_install.exe
PID 4336 wrote to memory of 1144	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 1144	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 1144	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 2728	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 2728	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 2728	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 4344	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 4344	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 4344	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 2320	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 2320	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 2320	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 3820	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 3820	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 3820	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 4804	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 4804	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 4804	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 3200	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 3200	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 3200	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 1644	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 1644	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 1644	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 1020	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 1020	4336	setup_install.exe	cmd.exe
PID 4336 wrote to memory of 1020	4336	setup_install.exe	cmd.exe
PID 1144 wrote to memory of 4172	1144	cmd.exe	powershell.exe
PID 1144 wrote to memory of 4172	1144	cmd.exe	powershell.exe
PID 1144 wrote to memory of 4172	1144	cmd.exe	powershell.exe
PID 2728 wrote to memory of 3772	2728	cmd.exe	Tue202c0b0c44.exe
PID 2728 wrote to memory of 3772	2728	cmd.exe	Tue202c0b0c44.exe
PID 2728 wrote to memory of 3772	2728	cmd.exe	Tue202c0b0c44.exe
PID 4344 wrote to memory of 4448	4344	cmd.exe	Tue206edc34cf4.exe
PID 4344 wrote to memory of 4448	4344	cmd.exe	Tue206edc34cf4.exe
PID 4344 wrote to memory of 4448	4344	cmd.exe	Tue206edc34cf4.exe
PID 3820 wrote to memory of 1488	3820	cmd.exe	Tue200a01e55ccea5b.exe
PID 3820 wrote to memory of 1488	3820	cmd.exe	Tue200a01e55ccea5b.exe
PID 3820 wrote to memory of 1488	3820	cmd.exe	Tue200a01e55ccea5b.exe
PID 2320 wrote to memory of 3944	2320	cmd.exe	Tue20b0ce91e160.exe
PID 2320 wrote to memory of 3944	2320	cmd.exe	Tue20b0ce91e160.exe
PID 4804 wrote to memory of 4396	4804	cmd.exe	Tue2019d28f9486.exe
PID 4804 wrote to memory of 4396	4804	cmd.exe	Tue2019d28f9486.exe
PID 4804 wrote to memory of 4396	4804	cmd.exe	Tue2019d28f9486.exe
PID 3200 wrote to memory of 1636	3200	cmd.exe	Tue20357017b9f2cf.exe
PID 3200 wrote to memory of 1636	3200	cmd.exe	Tue20357017b9f2cf.exe
PID 3200 wrote to memory of 1636	3200	cmd.exe	Tue20357017b9f2cf.exe
PID 1644 wrote to memory of 2524	1644	cmd.exe	Tue206f1d53d40be40.exe
PID 1644 wrote to memory of 2524	1644	cmd.exe	Tue206f1d53d40be40.exe
PID 1020 wrote to memory of 752	1020	cmd.exe	Tue2073e57b595420b4a.exe
PID 1020 wrote to memory of 752	1020	cmd.exe	Tue2073e57b595420b4a.exe
PID 3772 wrote to memory of 4916	3772	Tue202c0b0c44.exe	Tue202c0b0c44.exe
PID 3772 wrote to memory of 4916	3772	Tue202c0b0c44.exe	Tue202c0b0c44.exe
PID 3772 wrote to memory of 4916	3772	Tue202c0b0c44.exe	Tue202c0b0c44.exe

C:\Users\Admin\AppData\Local\Temp\b7468904155157b5f8cd9cb3782686de_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b7468904155157b5f8cd9cb3782686de_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4172
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue202c0b0c44.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue202c0b0c44.exe
        
        Tue202c0b0c44.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3772
      - C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue202c0b0c44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue202c0b0c44.exe" -a
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue206edc34cf4.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue206edc34cf4.exe
        
        Tue206edc34cf4.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks SCSI registry key(s)
        
        PID:4448
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4448 -s 356
        6⤵
        Program crash
        
        PID:1724
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20b0ce91e160.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue20b0ce91e160.exe
        
        Tue20b0ce91e160.exe
        5⤵
        Executes dropped EXE
        
        PID:3944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue200a01e55ccea5b.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3820
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue200a01e55ccea5b.exe
        
        Tue200a01e55ccea5b.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 824
        6⤵
        Program crash
        
        PID:760
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 832
        6⤵
        Program crash
        
        PID:4688
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 876
        6⤵
        Program crash
        
        PID:2812
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 884
        6⤵
        Program crash
        
        PID:3204
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1028
        6⤵
        Program crash
        
        PID:1424
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 1032
        6⤵
        Program crash
        
        PID:3112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue2019d28f9486.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4804
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue2019d28f9486.exe
        
        Tue2019d28f9486.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue20357017b9f2cf.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3200
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue20357017b9f2cf.exe
        
        Tue20357017b9f2cf.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue206f1d53d40be40.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue206f1d53d40be40.exe
        
        Tue206f1d53d40be40.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Tue2073e57b595420b4a.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue2073e57b595420b4a.exe
        
        Tue2073e57b595420b4a.exe
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4336 -s 492
      4⤵
      Program crash
      PID:2520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4336 -ip 4336
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4448 -ip 4448
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1488 -ip 1488
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1488 -ip 1488
1⤵
PID:1760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1488 -ip 1488
1⤵
PID:3808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 1488 -ip 1488
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1488 -ip 1488
1⤵
PID:3020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1488 -ip 1488
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue200a01e55ccea5b.exe

Filesize
539KB

MD5
613e731bf142f930168c17047b0a88e1

SHA1
00c7ae3e6771415167e7ab0e5a21297d733fb9dc

SHA256
2dea53f68ee05019e21760591436ce11b2eee72c2a334e086f597ae8c24a303c

SHA512
6cda3d2a2bdf707f9daec11ebb6ceebce85a1deb9f8e248174f962b985d49caba0198eb3259120c0269fc6f42c6ec6add206a51b4560d9c3176517f6814e7a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue2019d28f9486.exe

Filesize
300KB

MD5
953d93e24956822e11d1ff9e433731d4

SHA1
3f45bcca182046fa8957821089d804200227985d

SHA256
f4eb31de9302b29f94e951cd77159b29ad6f36dc48dff1df573d13be632a0c16

SHA512
c3791ebb2a90a82c4b937b58daa979a6e33d14606a5e89f398d56c8093d6582c76287576486c9292f0af00f7c7823147ef9d3993f47bb582b6f91c6fd9461137

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue202c0b0c44.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue20357017b9f2cf.exe

Filesize
1.7MB

MD5
05a0baf55450d99cb0fa0ee652e2cd0c

SHA1
e7334de04c18c241a091c3327cdcd56e85cc6baf

SHA256
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c

SHA512
b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue206edc34cf4.exe

Filesize
197KB

MD5
5dd05fecd86da1a812a1e1045aa5b3e2

SHA1
7916763ae91dc1ae73e45dd13b33ef45f7911769

SHA256
9975bc95574a3f0547e79befa7065239653088d3f84841cdcdf75017ba903a09

SHA512
709151d96485a13281ee44bc3e768da5ed500c3f41eebcf1274a3a6e9730a101c24d9bc240eece5416bba994baf193934a66b3d6ba467e8386a8ee23ad5a386e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue206f1d53d40be40.exe

Filesize
78KB

MD5
9ec54823bf8214095594aeef509153b6

SHA1
e5e20d4d959df24958c4f8ec029950cd094a611d

SHA256
7b04c1fb8c6d2a22de787b8a223e3f8159cc28bff82b204d23b675b1f55899cf

SHA512
b6195cad810665e32c881fb24b29620c278b3afed4ce056c306707a0aa5915c335ff185c6567041f562c17f7e61bfc59d756be487a33cb3a205b589c3085503a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue2073e57b595420b4a.exe

Filesize
8KB

MD5
5fbf56cf05175a08ebbfd3ab8c29ab9e

SHA1
7412ee83a7568b1f6024ba4e1277e298d76e8738

SHA256
05942fe67632d7cb440fd1f31bd55cfc8416bdab4da6ed8d84e8d3fd16c3f5d6

SHA512
dfb6a263fe313880e47d9eb85dd43c37a7ed44b403354ecba80c0cb0253f913670295217e243677ed38676e23542694cfc1700659e370f92e8d2434cdf95c62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\Tue20b0ce91e160.exe

Filesize
900KB

MD5
0a0d22f1c9179a67d04166de0db02dbb

SHA1
106e55bd898b5574f9bd33dac9f3c0b95cecd90d

SHA256
a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac

SHA512
8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS457A03E7\setup_install.exe

Filesize
2.1MB

MD5
0e64ef80b1985958635dbf7185c1bddb

SHA1
e31c71461242e664f9b23c8b3bf5f5968dd530eb

SHA256
175019e8af381eecc895a880496ba7da48ba456805518ef91bc14d48bef6d533

SHA512
c2e9ed9c9112a4a96829da570a2171eab1a9f971a81d43ec39d641df3fadd5345e5d0940d5b785504bdc5bebb312fcc0500f9c7781222477ff2172ecbea2d974

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tycjccdl.y2j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe

Filesize
3.4MB

MD5
4b03c39108e3dc0e225ca17b2e60dbf3

SHA1
93c03382407478f1deb2c352fb09a06ddaf45427

SHA256
d54475a4d379b330858efba292a1b9c791155ecb8b86461e3edffd2e32afcd0a

SHA512
3f49a1cb00160681e5750d7821dc55e54207616ed4f9987827a2cc9dd09aecabab0b117a4120b4d1b925fd40827e2f01992ede1b7315889e67c6beea0b1bda3c

Download Submit
memory/752-97-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/1488-157-0x0000000000400000-0x0000000002D16000-memory.dmp

Filesize
41.1MB

Download
memory/2524-92-0x0000000000A30000-0x0000000000A4A000-memory.dmp

Filesize
104KB

Download
memory/3200-161-0x00000000000F0000-0x000000000014A000-memory.dmp

Filesize
360KB

Download
memory/3944-162-0x00007FFA3E370000-0x00007FFA3E41C000-memory.dmp

Filesize
688KB

Download
memory/4172-140-0x0000000006F50000-0x0000000006FE6000-memory.dmp

Filesize
600KB

Download
memory/4172-144-0x0000000007030000-0x000000000704A000-memory.dmp

Filesize
104KB

Download
memory/4172-105-0x0000000005400000-0x0000000005754000-memory.dmp

Filesize
3.3MB

Download
memory/4172-99-0x0000000005390000-0x00000000053F6000-memory.dmp

Filesize
408KB

Download
memory/4172-145-0x0000000007020000-0x0000000007028000-memory.dmp

Filesize
32KB

Download
memory/4172-96-0x0000000004900000-0x0000000004922000-memory.dmp

Filesize
136KB

Download
memory/4172-143-0x0000000006FF0000-0x0000000007004000-memory.dmp

Filesize
80KB

Download
memory/4172-142-0x0000000006F30000-0x0000000006F3E000-memory.dmp

Filesize
56KB

Download
memory/4172-141-0x0000000006EE0000-0x0000000006EF1000-memory.dmp

Filesize
68KB

Download
memory/4172-93-0x0000000004400000-0x0000000004436000-memory.dmp

Filesize
216KB

Download
memory/4172-139-0x0000000006D60000-0x0000000006D6A000-memory.dmp

Filesize
40KB

Download
memory/4172-137-0x0000000007320000-0x000000000799A000-memory.dmp

Filesize
6.5MB

Download
memory/4172-110-0x00000000059B0000-0x00000000059CE000-memory.dmp

Filesize
120KB

Download
memory/4172-111-0x0000000005F40000-0x0000000005F8C000-memory.dmp

Filesize
304KB

Download
memory/4172-138-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

Filesize
104KB

Download
memory/4172-136-0x0000000006980000-0x0000000006A23000-memory.dmp

Filesize
652KB

Download
memory/4172-125-0x000000006F9B0000-0x000000006F9FC000-memory.dmp

Filesize
304KB

Download
memory/4172-98-0x0000000005320000-0x0000000005386000-memory.dmp

Filesize
408KB

Download
memory/4172-135-0x0000000005EF0000-0x0000000005F0E000-memory.dmp

Filesize
120KB

Download
memory/4172-94-0x0000000004AF0000-0x0000000005118000-memory.dmp

Filesize
6.2MB

Download
memory/4172-124-0x0000000005F90000-0x0000000005FC2000-memory.dmp

Filesize
200KB

Download
memory/4336-69-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4336-52-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4336-123-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4336-120-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4336-118-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/4336-114-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/4336-62-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4336-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4336-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4336-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4336-65-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4336-66-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4336-67-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4336-68-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/4336-121-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4336-71-0x0000000064941000-0x000000006494F000-memory.dmp

Filesize
56KB

Download
memory/4336-122-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4336-72-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/4336-70-0x0000000000EE0000-0x0000000000F6F000-memory.dmp

Filesize
572KB

Download
memory/4336-61-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/4336-73-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/4396-151-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/4396-152-0x0000000007920000-0x0000000007F38000-memory.dmp

Filesize
6.1MB

Download
memory/4396-153-0x0000000004FE0000-0x0000000004FF2000-memory.dmp

Filesize
72KB

Download
memory/4396-154-0x0000000007F40000-0x000000000804A000-memory.dmp

Filesize
1.0MB

Download
memory/4396-155-0x0000000008050000-0x000000000808C000-memory.dmp

Filesize
240KB

Download
memory/4396-156-0x00000000080C0000-0x000000000810C000-memory.dmp

Filesize
304KB

Download
memory/4396-158-0x0000000000400000-0x0000000002CDB000-memory.dmp

Filesize
40.9MB

Download
memory/4396-150-0x0000000007370000-0x0000000007914000-memory.dmp

Filesize
5.6MB

Download
memory/4396-149-0x0000000004C20000-0x0000000004C44000-memory.dmp

Filesize
144KB

Download
memory/4448-148-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download