Analysis
-
max time kernel
15s -
max time network
197s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
30-06-2021 00:02
General
-
Target
8351A45BED6E3D3442D27DC11BD0226C.exe
-
Size
3.4MB
-
MD5
8351a45bed6e3d3442d27dc11bd0226c
-
SHA1
f32fce1bdd98889d50e6bb50fd1ab40eec339655
-
SHA256
3fa48c4223378b5ff4fbcff163b5a0fa89ff6980244cf9aaf01f5793c1ab9724
-
SHA512
0454da4a9b4383143418bba26c611fe5349887133c0c07eca4a1ea92d248a2cac3cbca7e2ba4ef61965241568a4fe1a271d7d54cac31539072e45d5a1f621599
Score
10/10
Malware Config
Extracted
Family
vidar
Version
39.4
Botnet
706
C2
https://sergeevih43.tumblr.com
Attributes
-
profile_id
706
Extracted
Family
smokeloader
Version
2020
C2
http://ppcspb.com/upload/
http://mebbing.com/upload/
http://twcamel.com/upload/
http://howdycash.com/upload/
http://lahuertasonora.com/upload/
http://kpotiques.com/upload/
rc4.i32
rc4.i32
Extracted
Family
redline
Botnet
ServAni
C2
87.251.71.195:82
Extracted
Family
vidar
Version
39.4
Botnet
932
C2
https://sergeevih43.tumblr.com
Attributes
-
profile_id
932
Extracted
Family
guloader
C2
https://cdn.discordapp.com/attachments/859444299618582560/859474854498271232/Heck.bin
Signatures
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 4 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 4 IoCs
-
ASPack v2.12-2.42 14 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
-
UPX packed file 6 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Loads dropped DLL 37 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8351A45BED6E3D3442D27DC11BD0226C.exe"C:\Users\Admin\AppData\Local\Temp\8351A45BED6E3D3442D27DC11BD0226C.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_2.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_2.exesonia_2.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_1.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_1.exesonia_1.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_3.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_3.exesonia_3.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 9645⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_4.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_4.exesonia_4.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_5.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_5.exesonia_5.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\8511465.exe"C:\Users\Admin\AppData\Roaming\8511465.exe"5⤵
-
-
C:\Users\Admin\AppData\Roaming\3189295.exe"C:\Users\Admin\AppData\Roaming\3189295.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\6033319.exe"C:\Users\Admin\AppData\Roaming\6033319.exe"5⤵
-
-
C:\Users\Admin\AppData\Roaming\5143067.exe"C:\Users\Admin\AppData\Roaming\5143067.exe"5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_6.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_6.exesonia_6.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Documents\76eyEHL9q0NJEZaw_9OY8i5e.exe"C:\Users\Admin\Documents\76eyEHL9q0NJEZaw_9OY8i5e.exe"5⤵
-
C:\Users\Admin\Documents\76eyEHL9q0NJEZaw_9OY8i5e.exe"C:\Users\Admin\Documents\76eyEHL9q0NJEZaw_9OY8i5e.exe"6⤵
-
-
-
C:\Users\Admin\Documents\qtVEh7sJYpitrBI2mFzF8kyq.exe"C:\Users\Admin\Documents\qtVEh7sJYpitrBI2mFzF8kyq.exe"5⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 9566⤵
- Program crash
-
-
-
C:\Users\Admin\Documents\fEzchljZz5MXdtUoVeOlHxpJ.exe"C:\Users\Admin\Documents\fEzchljZz5MXdtUoVeOlHxpJ.exe"5⤵
-
-
C:\Users\Admin\Documents\d5F5HYVrEiSqe8EpJHN5v_1w.exe"C:\Users\Admin\Documents\d5F5HYVrEiSqe8EpJHN5v_1w.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im d5F5HYVrEiSqe8EpJHN5v_1w.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Documents\d5F5HYVrEiSqe8EpJHN5v_1w.exe" & del C:\ProgramData\*.dll & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im d5F5HYVrEiSqe8EpJHN5v_1w.exe /f7⤵
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 67⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Documents\irD5gOwWRGj7DqjdzUkmGe8Y.exe"C:\Users\Admin\Documents\irD5gOwWRGj7DqjdzUkmGe8Y.exe"5⤵
-
C:\Program Files (x86)\Company\NewProduct\file4.exe"C:\Program Files (x86)\Company\NewProduct\file4.exe"6⤵
-
-
C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"C:\Program Files (x86)\Company\NewProduct\jingzhang.exe"6⤵
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",shl7⤵
-
-
-
C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"6⤵
-
-
C:\Program Files (x86)\Company\NewProduct\jooyu.exe"C:\Program Files (x86)\Company\NewProduct\jooyu.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt7⤵
-
-
-
-
C:\Users\Admin\Documents\lnoNawZpqKFKamzRBmmDy3Rk.exe"C:\Users\Admin\Documents\lnoNawZpqKFKamzRBmmDy3Rk.exe"5⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --hold https://ezsearch.ru6⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef6d34f50,0x7fef6d34f60,0x7fef6d34f707⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1260,2456444142259614918,17398162617411002303,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1452 /prefetch:27⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1260,2456444142259614918,17398162617411002303,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1500 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1260,2456444142259614918,17398162617411002303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1512 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1260,2456444142259614918,17398162617411002303,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1260,2456444142259614918,17398162617411002303,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1260,2456444142259614918,17398162617411002303,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2620 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1260,2456444142259614918,17398162617411002303,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2808 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1260,2456444142259614918,17398162617411002303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3064 /prefetch:87⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1260,2456444142259614918,17398162617411002303,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2788 /prefetch:17⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1260,2456444142259614918,17398162617411002303,131072 --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=708 /prefetch:17⤵
-
-
-
-
C:\Users\Admin\Documents\fculuv9Ji9tk3m6G2SqwOwBn.exe"C:\Users\Admin\Documents\fculuv9Ji9tk3m6G2SqwOwBn.exe"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{DkLz-TJEgO-kjhD-9w3MM}\38485648997.exe"6⤵
-
C:\Users\Admin\AppData\Local\Temp\{DkLz-TJEgO-kjhD-9w3MM}\38485648997.exe"C:\Users\Admin\AppData\Local\Temp\{DkLz-TJEgO-kjhD-9w3MM}\38485648997.exe"7⤵
-
C:\Users\Admin\AppData\Local\Temp\{DkLz-TJEgO-kjhD-9w3MM}\38485648997.exe"C:\Users\Admin\AppData\Local\Temp\{DkLz-TJEgO-kjhD-9w3MM}\38485648997.exe"8⤵
-
C:\Users\Admin\AppData\Local\Temp\1625011740708.exe"C:\Users\Admin\AppData\Local\Temp\1625011740708.exe"9⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{DkLz-TJEgO-kjhD-9w3MM}\54411028949.exe" /mix6⤵
-
C:\Users\Admin\AppData\Local\Temp\{DkLz-TJEgO-kjhD-9w3MM}\54411028949.exe"C:\Users\Admin\AppData\Local\Temp\{DkLz-TJEgO-kjhD-9w3MM}\54411028949.exe" /mix7⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "fculuv9Ji9tk3m6G2SqwOwBn.exe" /f & erase "C:\Users\Admin\Documents\fculuv9Ji9tk3m6G2SqwOwBn.exe" & exit6⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "fculuv9Ji9tk3m6G2SqwOwBn.exe" /f7⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Documents\tEE_bWKJeDo2Q_7jDUigF0p8.exe"C:\Users\Admin\Documents\tEE_bWKJeDo2Q_7jDUigF0p8.exe"5⤵
-
C:\Users\Admin\Documents\tEE_bWKJeDo2Q_7jDUigF0p8.exeC:\Users\Admin\Documents\tEE_bWKJeDo2Q_7jDUigF0p8.exe6⤵
-
-
-
C:\Users\Admin\Documents\JUXYNpPA48ZoT3BbleGKQMoi.exe"C:\Users\Admin\Documents\JUXYNpPA48ZoT3BbleGKQMoi.exe"5⤵
-
-
C:\Users\Admin\Documents\p8x1mJ0WCxfYbuCpdXV484gi.exe"C:\Users\Admin\Documents\p8x1mJ0WCxfYbuCpdXV484gi.exe"5⤵
-
C:\Users\Admin\Documents\p8x1mJ0WCxfYbuCpdXV484gi.exeC:\Users\Admin\Documents\p8x1mJ0WCxfYbuCpdXV484gi.exe6⤵
-
-
-
C:\Users\Admin\Documents\7hJSjdWtrqbkNyRwk0kRgUmQ.exe"C:\Users\Admin\Documents\7hJSjdWtrqbkNyRwk0kRgUmQ.exe"5⤵
-
-
C:\Users\Admin\Documents\TJwHh5DcoPzjt8rF5zHqtEqD.exe"C:\Users\Admin\Documents\TJwHh5DcoPzjt8rF5zHqtEqD.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt6⤵
-
-
-
C:\Users\Admin\Documents\WQSY8dhEVne2rNM73aLVQDh8.exe"C:\Users\Admin\Documents\WQSY8dhEVne2rNM73aLVQDh8.exe"5⤵
-
C:\Windows\SysWOW64\rUNdlL32.eXe"C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\axhub.dll",axhub6⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_8.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sonia_7.exe3⤵
- Loads dropped DLL
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_7.exesonia_7.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_7.exeC:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_7.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_7.exeC:\Users\Admin\AppData\Local\Temp\7zS4F7506D4\sonia_7.exe2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exeC:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 2921⤵
- Program crash
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
144KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
196KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
36KB
-
Filesize
5.0MB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
5.3MB
-
Filesize
1.1MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
1.1MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
8KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
628KB
-
Filesize
5.3MB
-
Filesize
64KB