Overview

overview

10

Static

static

3f53579a49...79.exe

windows7_x64

10

3f53579a49...79.exe

windows10_x64

10

Analysis

  • max time kernel
    18s
  • max time network
    199s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    30-06-2021 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3f53579a490ec07fe7518fdbae105b2dd4192e5ca2234af801d7ecfe42be3179.exe

  • Size

    3.5MB

  • MD5

    3cc70977f094f02dab75e1f9f03b241f

  • SHA1

    ddc55a0d58fefdcbef71ea5619a3aeeaf758936c

  • SHA256

    3f53579a490ec07fe7518fdbae105b2dd4192e5ca2234af801d7ecfe42be3179

  • SHA512

    11425ac5e5bbca82ca37d4ec545468a12ce5ac03ea83be2b5e1828beb829c95cd3fd652b4470a831cf256d53fde5af916224eb60d50050ecffd7ce6eabb222ca

Score
10/10
redlinevidar706servaniaspackv2evasioninfostealerstealertrojan

Malware Config

Extracted

Family

vidar

Version

39.4

Botnet

706

C2

https://sergeevih43.tumblr.com

Attributes
  • profile_id

    706

Extracted

Family

redline

Botnet

ServAni

C2

87.251.71.195:82

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 4 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 2 IoCs
    stealer
  • ASPack v2.12-2.42 14 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Downloads MZ/PE file
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 49 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 6 IoCs
  • Modifies registry class 8 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:472
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:876
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:784
    • C:\Users\Admin\AppData\Local\Temp\3f53579a490ec07fe7518fdbae105b2dd4192e5ca2234af801d7ecfe42be3179.exe
      "C:\Users\Admin\AppData\Local\Temp\3f53579a490ec07fe7518fdbae105b2dd4192e5ca2234af801d7ecfe42be3179.exe"
      1⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1984
      • C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
        "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Users\Admin\AppData\Local\Temp\7zS4150F305\setup_install.exe
          "C:\Users\Admin\AppData\Local\Temp\7zS4150F305\setup_install.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:1712
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_2.exe
            4⤵
            • Loads dropped DLL
            PID:1388
            • C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_2.exe
              sonia_2.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks SCSI registry key(s)
              • Suspicious behavior: EnumeratesProcesses
              PID:1708
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_3.exe
            4⤵
            • Loads dropped DLL
            PID:1052
            • C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_3.exe
              sonia_3.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Modifies system certificate store
              PID:560
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 560 -s 968
                6⤵
                • Program crash
                PID:2444
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c sonia_4.exe
            4⤵
              PID:1360
              • C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_4.exe
                sonia_4.exe
                5⤵
                  PID:2716
                  • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                    C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                    6⤵
                      PID:2848
                • C:\Windows\SysWOW64\cmd.exe
                  C:\Windows\system32\cmd.exe /c sonia_5.exe
                  4⤵
                  • Loads dropped DLL
                  PID:1772
                  • C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_5.exe
                    sonia_5.exe
                    5⤵
                    • Executes dropped EXE
                    • Suspicious use of AdjustPrivilegeToken
                    PID:388
                    • C:\Users\Admin\AppData\Roaming\5772108.exe
                      "C:\Users\Admin\AppData\Roaming\5772108.exe"
                      6⤵
                        PID:2076
                      • C:\Users\Admin\AppData\Roaming\1287358.exe
                        "C:\Users\Admin\AppData\Roaming\1287358.exe"
                        6⤵
                          PID:2124
                        • C:\Users\Admin\AppData\Roaming\7872548.exe
                          "C:\Users\Admin\AppData\Roaming\7872548.exe"
                          6⤵
                            PID:2224
                          • C:\Users\Admin\AppData\Roaming\8487000.exe
                            "C:\Users\Admin\AppData\Roaming\8487000.exe"
                            6⤵
                              PID:2352
                        • C:\Windows\SysWOW64\cmd.exe
                          C:\Windows\system32\cmd.exe /c sonia_6.exe
                          4⤵
                          • Loads dropped DLL
                          PID:916
                          • C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_6.exe
                            sonia_6.exe
                            5⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            PID:1808
                            • C:\Users\Admin\Documents\MU7MjnyrGOAw95rLjjfkLevI.exe
                              "C:\Users\Admin\Documents\MU7MjnyrGOAw95rLjjfkLevI.exe"
                              6⤵
                                PID:2164
                              • C:\Users\Admin\Documents\x1RJgyd3XHPoM1dA1I9QbnsT.exe
                                "C:\Users\Admin\Documents\x1RJgyd3XHPoM1dA1I9QbnsT.exe"
                                6⤵
                                  PID:2140
                                • C:\Users\Admin\Documents\mT9tndluu8knzo3meI8p7D6r.exe
                                  "C:\Users\Admin\Documents\mT9tndluu8knzo3meI8p7D6r.exe"
                                  6⤵
                                    PID:2180
                                  • C:\Users\Admin\Documents\Mxhgt32t_O5f4UvO7ZyDZVig.exe
                                    "C:\Users\Admin\Documents\Mxhgt32t_O5f4UvO7ZyDZVig.exe"
                                    6⤵
                                      PID:2196
                                    • C:\Users\Admin\Documents\yfx18fZKdOhmxGTHobFd_zw4.exe
                                      "C:\Users\Admin\Documents\yfx18fZKdOhmxGTHobFd_zw4.exe"
                                      6⤵
                                        PID:2244
                                      • C:\Users\Admin\Documents\DmSeqYkuitaWlV7O7qwvKUfb.exe
                                        "C:\Users\Admin\Documents\DmSeqYkuitaWlV7O7qwvKUfb.exe"
                                        6⤵
                                          PID:2284
                                        • C:\Users\Admin\Documents\vqjfyBlC8ZDbeucUP2QQzMzX.exe
                                          "C:\Users\Admin\Documents\vqjfyBlC8ZDbeucUP2QQzMzX.exe"
                                          6⤵
                                            PID:2276
                                          • C:\Users\Admin\Documents\sFwCNocqxoYuVRFvYThMAM1P.exe
                                            "C:\Users\Admin\Documents\sFwCNocqxoYuVRFvYThMAM1P.exe"
                                            6⤵
                                              PID:2268
                                            • C:\Users\Admin\Documents\UHrlOLo_sqUobzVQycEUJBCY.exe
                                              "C:\Users\Admin\Documents\UHrlOLo_sqUobzVQycEUJBCY.exe"
                                              6⤵
                                                PID:2256
                                              • C:\Users\Admin\Documents\Ej6Wvi1cotVGd_8ro1mOIhny.exe
                                                "C:\Users\Admin\Documents\Ej6Wvi1cotVGd_8ro1mOIhny.exe"
                                                6⤵
                                                  PID:2364
                                                • C:\Users\Admin\Documents\WUQ8ujx7elYDIWnPPk05cqeC.exe
                                                  "C:\Users\Admin\Documents\WUQ8ujx7elYDIWnPPk05cqeC.exe"
                                                  6⤵
                                                    PID:2500
                                                  • C:\Users\Admin\Documents\eUp3tgChEQwHX7iIvIx5N4Cc.exe
                                                    "C:\Users\Admin\Documents\eUp3tgChEQwHX7iIvIx5N4Cc.exe"
                                                    6⤵
                                                      PID:2484
                                                    • C:\Users\Admin\Documents\nNB5ZBjkNUdk2Dsbd8hde8lg.exe
                                                      "C:\Users\Admin\Documents\nNB5ZBjkNUdk2Dsbd8hde8lg.exe"
                                                      6⤵
                                                        PID:2476
                                                        • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                          "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                                                          7⤵
                                                            PID:2956
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c sonia_7.exe
                                                      4⤵
                                                      • Loads dropped DLL
                                                      PID:1040
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_7.exe
                                                        sonia_7.exe
                                                        5⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of SetThreadContext
                                                        PID:1736
                                                        • C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_7.exe
                                                          C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_7.exe
                                                          6⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          PID:1876
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c sonia_8.exe
                                                      4⤵
                                                      • Loads dropped DLL
                                                      PID:1384
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_8.exe
                                                        sonia_8.exe
                                                        5⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        PID:1292
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c sonia_1.exe
                                                      4⤵
                                                      • Loads dropped DLL
                                                      PID:792
                                                      • C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_1.exe
                                                        sonia_1.exe
                                                        5⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        PID:1508
                                                        • C:\Windows\SysWOW64\rUNdlL32.eXe
                                                          "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub
                                                          6⤵
                                                          • Loads dropped DLL
                                                          • Modifies registry class
                                                          • Suspicious behavior: EnumeratesProcesses
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:1472
                                              • C:\Users\Admin\AppData\Local\Temp\is-LSAJE.tmp\sonia_8.tmp
                                                "C:\Users\Admin\AppData\Local\Temp\is-LSAJE.tmp\sonia_8.tmp" /SL5="$4012E,506127,422400,C:\Users\Admin\AppData\Local\Temp\7zS4150F305\sonia_8.exe"
                                                1⤵
                                                • Executes dropped EXE
                                                • Loads dropped DLL
                                                PID:624
                                                • C:\Users\Admin\AppData\Local\Temp\is-HJJQO.tmp\bkhgbà_ç-.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\is-HJJQO.tmp\bkhgbà_ç-.exe" /S /UID=lab212
                                                  2⤵
                                                    PID:2600

                                                Network

                                                MITRE ATT&CK Enterprise v6

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • memory/388-177-0x000000001B430000-0x000000001B432000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/388-174-0x0000000000140000-0x0000000000156000-memory.dmp

                                                  Filesize

                                                  88KB

                                                  Download

                                                • memory/388-148-0x0000000000840000-0x0000000000841000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/560-190-0x0000000000400000-0x0000000000950000-memory.dmp

                                                  Filesize

                                                  5.3MB

                                                  Download

                                                • memory/560-189-0x0000000000260000-0x00000000002FD000-memory.dmp

                                                  Filesize

                                                  628KB

                                                  Download

                                                • memory/624-179-0x00000000003E0000-0x00000000003E1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/784-185-0x0000000000060000-0x00000000000AC000-memory.dmp

                                                  Filesize

                                                  304KB

                                                  Download

                                                • memory/784-186-0x00000000004C0000-0x0000000000531000-memory.dmp

                                                  Filesize

                                                  452KB

                                                  Download

                                                • memory/876-188-0x0000000001BA0000-0x0000000001C11000-memory.dmp

                                                  Filesize

                                                  452KB

                                                  Download

                                                • memory/1292-146-0x0000000000400000-0x000000000046D000-memory.dmp

                                                  Filesize

                                                  436KB

                                                  Download

                                                • memory/1472-184-0x00000000004E0000-0x000000000053D000-memory.dmp

                                                  Filesize

                                                  372KB

                                                  Download

                                                • memory/1472-183-0x0000000000C00000-0x0000000000D01000-memory.dmp

                                                  Filesize

                                                  1.0MB

                                                  Download

                                                • memory/1708-191-0x00000000002D0000-0x00000000002D9000-memory.dmp

                                                  Filesize

                                                  36KB

                                                  Download

                                                • memory/1708-192-0x0000000000400000-0x00000000008FA000-memory.dmp

                                                  Filesize

                                                  5.0MB

                                                  Download

                                                • memory/1712-107-0x0000000064940000-0x0000000064959000-memory.dmp

                                                  Filesize

                                                  100KB

                                                  Download

                                                • memory/1712-105-0x0000000064940000-0x0000000064959000-memory.dmp

                                                  Filesize

                                                  100KB

                                                  Download

                                                • memory/1712-96-0x0000000000400000-0x000000000051D000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                  Download

                                                • memory/1712-94-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                  Filesize

                                                  152KB

                                                  Download

                                                • memory/1712-88-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                  Filesize

                                                  572KB

                                                  Download

                                                • memory/1712-91-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/1712-92-0x000000006FE40000-0x000000006FFC6000-memory.dmp

                                                  Filesize

                                                  1.5MB

                                                  Download

                                                • memory/1712-95-0x0000000000400000-0x000000000051D000-memory.dmp

                                                  Filesize

                                                  1.1MB

                                                  Download

                                                • memory/1712-90-0x0000000064940000-0x0000000064959000-memory.dmp

                                                  Filesize

                                                  100KB

                                                  Download

                                                • memory/1712-110-0x000000006B440000-0x000000006B4CF000-memory.dmp

                                                  Filesize

                                                  572KB

                                                  Download

                                                • memory/1712-93-0x000000006B280000-0x000000006B2A6000-memory.dmp

                                                  Filesize

                                                  152KB

                                                  Download

                                                • memory/1712-89-0x0000000064940000-0x0000000064959000-memory.dmp

                                                  Filesize

                                                  100KB

                                                  Download

                                                • memory/1736-175-0x0000000001030000-0x0000000001031000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/1876-193-0x0000000000400000-0x000000000041E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/1876-196-0x0000000000400000-0x000000000041E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/1984-59-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/2076-200-0x0000000000C60000-0x0000000000C61000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2076-247-0x00000000001E0000-0x0000000000211000-memory.dmp

                                                  Filesize

                                                  196KB

                                                  Download

                                                • memory/2076-203-0x00000000002B0000-0x00000000002B1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2076-250-0x0000000000250000-0x0000000000251000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2076-215-0x0000000002770000-0x0000000002771000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2124-220-0x00000000012A0000-0x00000000012A1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2224-232-0x0000000001020000-0x0000000001021000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2224-248-0x0000000000690000-0x00000000006B4000-memory.dmp

                                                  Filesize

                                                  144KB

                                                  Download

                                                • memory/2256-241-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/2284-231-0x0000000000E50000-0x0000000000E51000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download