nullmixer | 41ad6f9aaac40ebe7d35ad9caa46ceafed790ca57d7c4e283fa87ce1892a088a

Analysis

max time kernel
25s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer.exe
Size

3.4MB
MD5

4b03c39108e3dc0e225ca17b2e60dbf3
SHA1

93c03382407478f1deb2c352fb09a06ddaf45427
SHA256

d54475a4d379b330858efba292a1b9c791155ecb8b86461e3edffd2e32afcd0a
SHA512

3f49a1cb00160681e5750d7821dc55e54207616ed4f9987827a2cc9dd09aecabab0b117a4120b4d1b925fd40827e2f01992ede1b7315889e67c6beea0b1bda3c
SSDEEP

98304:x2CvLUBsgz3n5nSgTlZuRF/7G4Mf7GJAr3ZPEfZMF:x/LUCgz3n5nSulZuGGJ23VExM

Score

10^/10

nullmixer privateloader redline sectoprat vidar pub2 aspackv2 discovery dropper execution infostealer loader rat stealer trojan

Malware Config

Extracted

Family

nullmixer

http://hsiens.xyz/

Extracted

Family

privateloader

http://37.0.10.214/proxies.txt

http://37.0.10.244/server.txt

http://wfsdragon.ru/api/setStats.php

37.0.10.237

Extracted

Family

redline

Botnet

pub2

185.92.73.84:80

Signatures

NullMixer
NullMixer is a malware dropper leading to an infection chain of a wide variety of malware families.
dropper nullmixer
PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2648-152-0x0000000004750000-0x0000000004774000-memory.dmp	family_redline
behavioral3/memory/2648-156-0x0000000004CD0000-0x0000000004CF2000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral3/memory/2648-152-0x0000000004750000-0x0000000004774000-memory.dmp	family_sectoprat
behavioral3/memory/2648-156-0x0000000004CD0000-0x0000000004CF2000-memory.dmp	family_sectoprat

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Vidar Stealer 1 IoCs

stealer

Processes:

resource	yara_rule
behavioral3/memory/1856-226-0x0000000000400000-0x0000000002D16000-memory.dmp	family_vidar

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1208	powershell.exe

ASPack v2.12-2.42 3 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
behavioral3/files/0x000600000001872a-41.dat	aspack_v212_v242
behavioral3/files/0x000700000001871e-45.dat	aspack_v212_v242
behavioral3/files/0x0006000000018736-49.dat	aspack_v212_v242

Executes dropped EXE 11 IoCs

Processes:

setup_install.exeTue202c0b0c44.exeTue2019d28f9486.exeTue20b0ce91e160.exeTue206edc34cf4.exeTue206f1d53d40be40.exeTue2073e57b595420b4a.exeTue20b0ce91e160.exeTue200a01e55ccea5b.exeTue20357017b9f2cf.exeTue202c0b0c44.exe

pid	Process
2808	setup_install.exe
2208	Tue202c0b0c44.exe
2648	Tue2019d28f9486.exe
1504	Tue20b0ce91e160.exe
1628	Tue206edc34cf4.exe
2892	Tue206f1d53d40be40.exe
2880	Tue2073e57b595420b4a.exe
1476	Tue20b0ce91e160.exe
1856	Tue200a01e55ccea5b.exe
2376	Tue20357017b9f2cf.exe
2168	Tue202c0b0c44.exe

Loads dropped DLL 46 IoCs

Processes:

setup_installer.exesetup_install.execmd.execmd.exeTue202c0b0c44.exeTue2019d28f9486.execmd.execmd.execmd.exeTue206edc34cf4.execmd.execmd.exeTue200a01e55ccea5b.exeTue20357017b9f2cf.exeTue202c0b0c44.exeWerFault.exeWerFault.exe

pid	Process
2012	setup_installer.exe
2012	setup_installer.exe
2012	setup_installer.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2808	setup_install.exe
2076	cmd.exe
2076	cmd.exe
2992	cmd.exe
2992	cmd.exe
2208	Tue202c0b0c44.exe
2208	Tue202c0b0c44.exe
2648	Tue2019d28f9486.exe
2648	Tue2019d28f9486.exe
852	cmd.exe
852	cmd.exe
2744	cmd.exe
1804	cmd.exe
1628	Tue206edc34cf4.exe
1628	Tue206edc34cf4.exe
2532	cmd.exe
2532	cmd.exe
2980	cmd.exe
1856	Tue200a01e55ccea5b.exe
1856	Tue200a01e55ccea5b.exe
2376	Tue20357017b9f2cf.exe
2376	Tue20357017b9f2cf.exe
2208	Tue202c0b0c44.exe
2168	Tue202c0b0c44.exe
2168	Tue202c0b0c44.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
888	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe
2312	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
888	2808	WerFault.exe	30
2312	1856	WerFault.exe	49

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.execmd.execmd.execmd.exepowershell.exeTue206edc34cf4.exeTue2019d28f9486.exeTue202c0b0c44.exesetup_installer.execmd.execmd.execmd.exeTue202c0b0c44.exesetup_install.execmd.execmd.exeTue200a01e55ccea5b.exeTue20357017b9f2cf.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue206edc34cf4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue2019d28f9486.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue202c0b0c44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue202c0b0c44.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue200a01e55ccea5b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tue20357017b9f2cf.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Tue200a01e55ccea5b.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue200a01e55ccea5b.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Tue200a01e55ccea5b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Tue200a01e55ccea5b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
1208	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Tue2073e57b595420b4a.exeTue206f1d53d40be40.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2880	Tue2073e57b595420b4a.exe
Token: SeDebugPrivilege	2892	Tue206f1d53d40be40.exe
Token: SeDebugPrivilege	1208	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

setup_installer.exesetup_install.exe

description	pid	Process	procid_target
PID 2012 wrote to memory of 2808	2012	setup_installer.exe	30
PID 2012 wrote to memory of 2808	2012	setup_installer.exe	30
PID 2012 wrote to memory of 2808	2012	setup_installer.exe	30
PID 2012 wrote to memory of 2808	2012	setup_installer.exe	30
PID 2012 wrote to memory of 2808	2012	setup_installer.exe	30
PID 2012 wrote to memory of 2808	2012	setup_installer.exe	30
PID 2012 wrote to memory of 2808	2012	setup_installer.exe	30
PID 2808 wrote to memory of 1048	2808	setup_install.exe	32
PID 2808 wrote to memory of 1048	2808	setup_install.exe	32
PID 2808 wrote to memory of 1048	2808	setup_install.exe	32
PID 2808 wrote to memory of 1048	2808	setup_install.exe	32
PID 2808 wrote to memory of 1048	2808	setup_install.exe	32
PID 2808 wrote to memory of 1048	2808	setup_install.exe	32
PID 2808 wrote to memory of 1048	2808	setup_install.exe	32
PID 2808 wrote to memory of 2076	2808	setup_install.exe	33
PID 2808 wrote to memory of 2076	2808	setup_install.exe	33
PID 2808 wrote to memory of 2076	2808	setup_install.exe	33
PID 2808 wrote to memory of 2076	2808	setup_install.exe	33
PID 2808 wrote to memory of 2076	2808	setup_install.exe	33
PID 2808 wrote to memory of 2076	2808	setup_install.exe	33
PID 2808 wrote to memory of 2076	2808	setup_install.exe	33
PID 2808 wrote to memory of 852	2808	setup_install.exe	34
PID 2808 wrote to memory of 852	2808	setup_install.exe	34
PID 2808 wrote to memory of 852	2808	setup_install.exe	34
PID 2808 wrote to memory of 852	2808	setup_install.exe	34
PID 2808 wrote to memory of 852	2808	setup_install.exe	34
PID 2808 wrote to memory of 852	2808	setup_install.exe	34
PID 2808 wrote to memory of 852	2808	setup_install.exe	34
PID 2808 wrote to memory of 1292	2808	setup_install.exe	35
PID 2808 wrote to memory of 1292	2808	setup_install.exe	35
PID 2808 wrote to memory of 1292	2808	setup_install.exe	35
PID 2808 wrote to memory of 1292	2808	setup_install.exe	35
PID 2808 wrote to memory of 1292	2808	setup_install.exe	35
PID 2808 wrote to memory of 1292	2808	setup_install.exe	35
PID 2808 wrote to memory of 1292	2808	setup_install.exe	35
PID 2808 wrote to memory of 2532	2808	setup_install.exe	36
PID 2808 wrote to memory of 2532	2808	setup_install.exe	36
PID 2808 wrote to memory of 2532	2808	setup_install.exe	36
PID 2808 wrote to memory of 2532	2808	setup_install.exe	36
PID 2808 wrote to memory of 2532	2808	setup_install.exe	36
PID 2808 wrote to memory of 2532	2808	setup_install.exe	36
PID 2808 wrote to memory of 2532	2808	setup_install.exe	36
PID 2808 wrote to memory of 2992	2808	setup_install.exe	37
PID 2808 wrote to memory of 2992	2808	setup_install.exe	37
PID 2808 wrote to memory of 2992	2808	setup_install.exe	37
PID 2808 wrote to memory of 2992	2808	setup_install.exe	37
PID 2808 wrote to memory of 2992	2808	setup_install.exe	37
PID 2808 wrote to memory of 2992	2808	setup_install.exe	37
PID 2808 wrote to memory of 2992	2808	setup_install.exe	37
PID 2808 wrote to memory of 2980	2808	setup_install.exe	38
PID 2808 wrote to memory of 2980	2808	setup_install.exe	38
PID 2808 wrote to memory of 2980	2808	setup_install.exe	38
PID 2808 wrote to memory of 2980	2808	setup_install.exe	38
PID 2808 wrote to memory of 2980	2808	setup_install.exe	38
PID 2808 wrote to memory of 2980	2808	setup_install.exe	38
PID 2808 wrote to memory of 2980	2808	setup_install.exe	38
PID 2808 wrote to memory of 2744	2808	setup_install.exe	39
PID 2808 wrote to memory of 2744	2808	setup_install.exe	39
PID 2808 wrote to memory of 2744	2808	setup_install.exe	39
PID 2808 wrote to memory of 2744	2808	setup_install.exe	39
PID 2808 wrote to memory of 2744	2808	setup_install.exe	39
PID 2808 wrote to memory of 2744	2808	setup_install.exe	39
PID 2808 wrote to memory of 2744	2808	setup_install.exe	39
PID 2808 wrote to memory of 1804	2808	setup_install.exe	40

C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\setup_install.exe
  "C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\setup_install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1048
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue202c0b0c44.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2076
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue202c0b0c44.exe
      Tue202c0b0c44.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2208
    - - C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue202c0b0c44.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue202c0b0c44.exe" -a
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue206edc34cf4.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:852
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue206edc34cf4.exe
      Tue206edc34cf4.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue20b0ce91e160.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1292
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue20b0ce91e160.exe
      Tue20b0ce91e160.exe
      4⤵
      Executes dropped EXE
      PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue20b0ce91e160.exe
      "C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue20b0ce91e160.exe"
      4⤵
      Executes dropped EXE
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue200a01e55ccea5b.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2532
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue200a01e55ccea5b.exe
      Tue200a01e55ccea5b.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      PID:1856
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1856 -s 964
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue2019d28f9486.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2992
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue2019d28f9486.exe
      Tue2019d28f9486.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2648
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue20357017b9f2cf.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue20357017b9f2cf.exe
      Tue20357017b9f2cf.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue206f1d53d40be40.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue206f1d53d40be40.exe
      Tue206f1d53d40be40.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c Tue2073e57b595420b4a.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1804
  - - C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue2073e57b595420b4a.exe
      Tue2073e57b595420b4a.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2880
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 424
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue200a01e55ccea5b.exe

Filesize
539KB

MD5
613e731bf142f930168c17047b0a88e1

SHA1
00c7ae3e6771415167e7ab0e5a21297d733fb9dc

SHA256
2dea53f68ee05019e21760591436ce11b2eee72c2a334e086f597ae8c24a303c

SHA512
6cda3d2a2bdf707f9daec11ebb6ceebce85a1deb9f8e248174f962b985d49caba0198eb3259120c0269fc6f42c6ec6add206a51b4560d9c3176517f6814e7a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue2019d28f9486.exe

Filesize
300KB

MD5
953d93e24956822e11d1ff9e433731d4

SHA1
3f45bcca182046fa8957821089d804200227985d

SHA256
f4eb31de9302b29f94e951cd77159b29ad6f36dc48dff1df573d13be632a0c16

SHA512
c3791ebb2a90a82c4b937b58daa979a6e33d14606a5e89f398d56c8093d6582c76287576486c9292f0af00f7c7823147ef9d3993f47bb582b6f91c6fd9461137

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue202c0b0c44.exe

Filesize
56KB

MD5
c0d18a829910babf695b4fdaea21a047

SHA1
236a19746fe1a1063ebe077c8a0553566f92ef0f

SHA256
78958d664b1c140f2b45e56c4706108eeb5f14756977e2efd3409f8a788d3c98

SHA512
cca06a032d8232c0046c6160f47b8792370745b47885c2fa75308abc3df76dcc5965858b004c1aad05b8cd8fbb9a359077be1b97ec087a05d740145030675823

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue20357017b9f2cf.exe

Filesize
1.7MB

MD5
05a0baf55450d99cb0fa0ee652e2cd0c

SHA1
e7334de04c18c241a091c3327cdcd56e85cc6baf

SHA256
4cfbdd8acdc923beeca12d94f06d2f1632765434a2087df7ac803c254a0adf9c

SHA512
b6d1fc00d7b076068b0879fa4d29b68d3054b5fca24edd5852077bf34d37c43e79cb74fda9c45014610b317d57d70369a3e197784c04bc3c6eac5e1ea9a64fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue206edc34cf4.exe

Filesize
197KB

MD5
5dd05fecd86da1a812a1e1045aa5b3e2

SHA1
7916763ae91dc1ae73e45dd13b33ef45f7911769

SHA256
9975bc95574a3f0547e79befa7065239653088d3f84841cdcdf75017ba903a09

SHA512
709151d96485a13281ee44bc3e768da5ed500c3f41eebcf1274a3a6e9730a101c24d9bc240eece5416bba994baf193934a66b3d6ba467e8386a8ee23ad5a386e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue206f1d53d40be40.exe

Filesize
78KB

MD5
9ec54823bf8214095594aeef509153b6

SHA1
e5e20d4d959df24958c4f8ec029950cd094a611d

SHA256
7b04c1fb8c6d2a22de787b8a223e3f8159cc28bff82b204d23b675b1f55899cf

SHA512
b6195cad810665e32c881fb24b29620c278b3afed4ce056c306707a0aa5915c335ff185c6567041f562c17f7e61bfc59d756be487a33cb3a205b589c3085503a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue2073e57b595420b4a.exe

Filesize
8KB

MD5
5fbf56cf05175a08ebbfd3ab8c29ab9e

SHA1
7412ee83a7568b1f6024ba4e1277e298d76e8738

SHA256
05942fe67632d7cb440fd1f31bd55cfc8416bdab4da6ed8d84e8d3fd16c3f5d6

SHA512
dfb6a263fe313880e47d9eb85dd43c37a7ed44b403354ecba80c0cb0253f913670295217e243677ed38676e23542694cfc1700659e370f92e8d2434cdf95c62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\Tue20b0ce91e160.exe

Filesize
900KB

MD5
0a0d22f1c9179a67d04166de0db02dbb

SHA1
106e55bd898b5574f9bd33dac9f3c0b95cecd90d

SHA256
a59457fbfaf3d1b2e17463d0ffd50680313b1905aff69f13694cfc3fffd5a4ac

SHA512
8abf8dc0da25c0fdbaa1ca39db057db80b9a135728fed9cd0f45b0f06d5652cee8d309b92e7cb953c0c4e8b38ffa2427c33f4865f1eb985a621316f9eb187b8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\libcurlpp.dll

Filesize
54KB

MD5
e6e578373c2e416289a8da55f1dc5e8e

SHA1
b601a229b66ec3d19c2369b36216c6f6eb1c063e

SHA256
43e86d650a68f1f91fa2f4375aff2720e934aa78fa3d33e06363122bf5a9535f

SHA512
9df6a8c418113a77051f6cb02745ad48c521c13cdadb85e0e37f79e29041464c8c7d7ba8c558fdd877035eb8475b6f93e7fc62b38504ddfe696a61480cabac89

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\libgcc_s_dw2-1.dll

Filesize
113KB

MD5
9aec524b616618b0d3d00b27b6f51da1

SHA1
64264300801a353db324d11738ffed876550e1d3

SHA256
59a466f77584438fc3abc0f43edc0fc99d41851726827a008841f05cfe12da7e

SHA512
0648a26940e8f4aad73b05ad53e43316dd688e5d55e293cce88267b2b8744412be2e0d507dadad830776bf715bcd819f00f5d1f7ac1c5f1c4f682fb7457a20d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\libstdc++-6.dll

Filesize
647KB

MD5
5e279950775baae5fea04d2cc4526bcc

SHA1
8aef1e10031c3629512c43dd8b0b5d9060878453

SHA256
97de47068327bb822b33c7106f9cbb489480901a6749513ef5c31d229dcaca87

SHA512
666325e9ed71da4955058aea31b91e2e848be43211e511865f393b7f537c208c6b31c182f7d728c2704e9fc87e7d1be3f98f5fee4d34f11c56764e1c599afd02

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\libwinpthread-1.dll

Filesize
69KB

MD5
1e0d62c34ff2e649ebc5c372065732ee

SHA1
fcfaa36ba456159b26140a43e80fbd7e9d9af2de

SHA256
509cb1d1443b623a02562ac760bced540e327c65157ffa938a22f75e38155723

SHA512
3653f8ed8ad3476632f731a3e76c6aae97898e4bf14f70007c93e53bc443906835be29f861c4a123db5b11e0f3dd5013b2b3833469a062060825df9ee708dc61

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD70B307\setup_install.exe

Filesize
2.1MB

MD5
0e64ef80b1985958635dbf7185c1bddb

SHA1
e31c71461242e664f9b23c8b3bf5f5968dd530eb

SHA256
175019e8af381eecc895a880496ba7da48ba456805518ef91bc14d48bef6d533

SHA512
c2e9ed9c9112a4a96829da570a2171eab1a9f971a81d43ec39d641df3fadd5345e5d0940d5b785504bdc5bebb312fcc0500f9c7781222477ff2172ecbea2d974

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CF1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D80.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\7zSCD70B307\libcurl.dll

Filesize
218KB

MD5
d09be1f47fd6b827c81a4812b4f7296f

SHA1
028ae3596c0790e6d7f9f2f3c8e9591527d267f7

SHA256
0de53e7be51789adaec5294346220b20f793e7f8d153a3c110a92d658760697e

SHA512
857f44a1383c29208509b8f1164b6438d750d5bb4419add7626986333433e67a0d1211ec240ce9472f30a1f32b16c8097aceba4b2255641b3d8928f94237f595

Download Submit
memory/1628-151-0x0000000000400000-0x0000000002CC1000-memory.dmp

Filesize
40.8MB

Download
memory/1856-226-0x0000000000400000-0x0000000002D16000-memory.dmp

Filesize
41.1MB

Download
memory/2648-152-0x0000000004750000-0x0000000004774000-memory.dmp

Filesize
144KB

Download
memory/2648-225-0x0000000000400000-0x0000000002CDB000-memory.dmp

Filesize
40.9MB

Download
memory/2648-156-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

Filesize
136KB

Download
memory/2808-218-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2808-62-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2808-65-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2808-66-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2808-58-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2808-55-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2808-56-0x000000006494A000-0x000000006494F000-memory.dmp

Filesize
20KB

Download
memory/2808-60-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2808-59-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2808-57-0x0000000064940000-0x0000000064959000-memory.dmp

Filesize
100KB

Download
memory/2808-63-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2808-64-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2808-44-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2808-47-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2808-61-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2808-224-0x000000006FE40000-0x000000006FFC6000-memory.dmp

Filesize
1.5MB

Download
memory/2808-223-0x000000006EB40000-0x000000006EB63000-memory.dmp

Filesize
140KB

Download
memory/2808-222-0x000000006B440000-0x000000006B4CF000-memory.dmp

Filesize
572KB

Download
memory/2808-221-0x000000006B280000-0x000000006B2A6000-memory.dmp

Filesize
152KB

Download
memory/2808-219-0x0000000000400000-0x000000000051B000-memory.dmp

Filesize
1.1MB

Download
memory/2880-144-0x0000000000F30000-0x0000000000F38000-memory.dmp

Filesize
32KB

Download
memory/2892-143-0x0000000001290000-0x00000000012AA000-memory.dmp

Filesize
104KB

Download