Analysis
-
max time kernel
28s -
max time network
152s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
20-07-2021 12:49
Static task
static1
General
-
Target
sonia_5.exe
-
Size
1014KB
-
MD5
0c3f670f496ffcf516fe77d2a161a6ee
-
SHA1
0c59d3494b38d768fe120e0a4ca2a1dca7567e6e
-
SHA256
8ed9f410b41e51f09304e5cdadc4d61f82562c9ee15be810e063f2f568812dd0
-
SHA512
bce80fa77557683645480ec28bf5f3a4facb780728d709166890c18decb2095509f69c524e4ce5fbcb48788961554be0467dc78db70f1fd2d242dbd5922a1095
Malware Config
Extracted
redline
2007
37.1.219.52:6534
Extracted
fickerstealer
37.0.8.225:80
Extracted
metasploit
windows/single_exec
Extracted
redline
sel17
dwarimlari.xyz:80
Extracted
vidar
39.7
865
https://shpak125.tumblr.com/
-
profile_id
865
Signatures
-
Fickerstealer
Ficker is an infostealer written in Rust and ASM.
-
Glupteba Payload 2 IoCs
resource yara_rule behavioral1/memory/2208-164-0x0000000001390000-0x0000000001CB6000-memory.dmp family_glupteba behavioral1/memory/2208-165-0x0000000000400000-0x0000000000D41000-memory.dmp family_glupteba -
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
resource yara_rule behavioral1/files/0x00040000000130e6-70.dat family_redline behavioral1/files/0x00040000000130e6-95.dat family_redline behavioral1/files/0x00040000000130e6-92.dat family_redline behavioral1/memory/2944-180-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2944-181-0x0000000000417DEA-mapping.dmp family_redline behavioral1/memory/2944-183-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
resource yara_rule behavioral1/files/0x00040000000130e6-70.dat Redline_stealer2 behavioral1/files/0x00040000000130e6-95.dat Redline_stealer2 behavioral1/files/0x00040000000130e6-92.dat Redline_stealer2 behavioral1/memory/2944-180-0x0000000000400000-0x000000000041E000-memory.dmp Redline_stealer2 behavioral1/memory/2944-181-0x0000000000417DEA-mapping.dmp Redline_stealer2 behavioral1/memory/2944-183-0x0000000000400000-0x000000000041E000-memory.dmp Redline_stealer2 -
Vidar Stealer 1 IoCs
resource yara_rule behavioral1/memory/1312-184-0x0000000000400000-0x00000000008EC000-memory.dmp family_vidar -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
pid Process 1064 gWoabDP1RCIYrtY5YPLBPAuK.exe 764 JcXYhkwQShbDGc8ijlFY0WnI.exe 1752 uv3zRWlbOBErYMXHCCY5PDxf.exe 1560 tRecm8SdTaFX42EMrOaXJoxo.exe 1244 rPizQkrcfvpyGPNxZkGNSwR0.exe 1668 27sm5dtve0IrJd5YdDiYbFjZ.exe -
Loads dropped DLL 10 IoCs
pid Process 1652 sonia_5.exe 1652 sonia_5.exe 1652 sonia_5.exe 1652 sonia_5.exe 1652 sonia_5.exe 1652 sonia_5.exe 1652 sonia_5.exe 1652 sonia_5.exe 1652 sonia_5.exe 1652 sonia_5.exe -
resource yara_rule behavioral1/files/0x00030000000130f4-81.dat themida behavioral1/files/0x00030000000130f4-71.dat themida behavioral1/files/0x0003000000013136-134.dat themida behavioral1/files/0x0003000000013136-131.dat themida -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 3 ipinfo.io 4 ipinfo.io 114 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C sonia_5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 sonia_5.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 sonia_5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 sonia_5.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 sonia_5.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 676 PING.EXE -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 1652 wrote to memory of 1752 1652 sonia_5.exe 31 PID 1652 wrote to memory of 1752 1652 sonia_5.exe 31 PID 1652 wrote to memory of 1752 1652 sonia_5.exe 31 PID 1652 wrote to memory of 1752 1652 sonia_5.exe 31 PID 1652 wrote to memory of 1064 1652 sonia_5.exe 39 PID 1652 wrote to memory of 1064 1652 sonia_5.exe 39 PID 1652 wrote to memory of 1064 1652 sonia_5.exe 39 PID 1652 wrote to memory of 1064 1652 sonia_5.exe 39 PID 1652 wrote to memory of 1064 1652 sonia_5.exe 39 PID 1652 wrote to memory of 1064 1652 sonia_5.exe 39 PID 1652 wrote to memory of 1064 1652 sonia_5.exe 39 PID 1652 wrote to memory of 1560 1652 sonia_5.exe 38 PID 1652 wrote to memory of 1560 1652 sonia_5.exe 38 PID 1652 wrote to memory of 1560 1652 sonia_5.exe 38 PID 1652 wrote to memory of 1560 1652 sonia_5.exe 38 PID 1652 wrote to memory of 764 1652 sonia_5.exe 35 PID 1652 wrote to memory of 764 1652 sonia_5.exe 35 PID 1652 wrote to memory of 764 1652 sonia_5.exe 35 PID 1652 wrote to memory of 764 1652 sonia_5.exe 35 PID 1652 wrote to memory of 1100 1652 sonia_5.exe 36 PID 1652 wrote to memory of 1100 1652 sonia_5.exe 36 PID 1652 wrote to memory of 1100 1652 sonia_5.exe 36 PID 1652 wrote to memory of 1100 1652 sonia_5.exe 36 PID 1652 wrote to memory of 1244 1652 sonia_5.exe 37 PID 1652 wrote to memory of 1244 1652 sonia_5.exe 37 PID 1652 wrote to memory of 1244 1652 sonia_5.exe 37 PID 1652 wrote to memory of 1244 1652 sonia_5.exe 37 PID 1652 wrote to memory of 1668 1652 sonia_5.exe 33 PID 1652 wrote to memory of 1668 1652 sonia_5.exe 33 PID 1652 wrote to memory of 1668 1652 sonia_5.exe 33 PID 1652 wrote to memory of 1668 1652 sonia_5.exe 33 PID 1652 wrote to memory of 1596 1652 sonia_5.exe 34 PID 1652 wrote to memory of 1596 1652 sonia_5.exe 34 PID 1652 wrote to memory of 1596 1652 sonia_5.exe 34 PID 1652 wrote to memory of 1596 1652 sonia_5.exe 34 PID 1652 wrote to memory of 1596 1652 sonia_5.exe 34 PID 1652 wrote to memory of 1596 1652 sonia_5.exe 34 PID 1652 wrote to memory of 1596 1652 sonia_5.exe 34 PID 1652 wrote to memory of 292 1652 sonia_5.exe 32 PID 1652 wrote to memory of 292 1652 sonia_5.exe 32 PID 1652 wrote to memory of 292 1652 sonia_5.exe 32 PID 1652 wrote to memory of 292 1652 sonia_5.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\sonia_5.exe"C:\Users\Admin\AppData\Local\Temp\sonia_5.exe"1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Users\Admin\Documents\uv3zRWlbOBErYMXHCCY5PDxf.exe"C:\Users\Admin\Documents\uv3zRWlbOBErYMXHCCY5PDxf.exe"2⤵
- Executes dropped EXE
PID:1752 -
C:\Users\Admin\Documents\uv3zRWlbOBErYMXHCCY5PDxf.exeC:\Users\Admin\Documents\uv3zRWlbOBErYMXHCCY5PDxf.exe3⤵PID:2944
-
-
-
C:\Users\Admin\Documents\2NvlmwDVOSaHCd9btJVkTLop.exe"C:\Users\Admin\Documents\2NvlmwDVOSaHCd9btJVkTLop.exe"2⤵PID:292
-
-
C:\Users\Admin\Documents\27sm5dtve0IrJd5YdDiYbFjZ.exe"C:\Users\Admin\Documents\27sm5dtve0IrJd5YdDiYbFjZ.exe"2⤵
- Executes dropped EXE
PID:1668
-
-
C:\Users\Admin\Documents\W5auagijfjO_osak67imq75H.exe"C:\Users\Admin\Documents\W5auagijfjO_osak67imq75H.exe"2⤵PID:1596
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c cmd < Sorrisi.tmp3⤵PID:2908
-
C:\Windows\SysWOW64\cmd.execmd4⤵PID:2984
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^yNFefWPitqXbQXexaaaweTJMeyyzoIKOZcrabptodYbHejNKUaJtRjoktSZpRcZcdpbxUJWpgpLtcwKPaxnPYFWNhRgFpV$" Sapete.tmp5⤵PID:2996
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Acre.exe.comAcre.exe.com k5⤵PID:2088
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 305⤵
- Runs ping.exe
PID:676
-
-
-
-
-
C:\Users\Admin\Documents\JcXYhkwQShbDGc8ijlFY0WnI.exe"C:\Users\Admin\Documents\JcXYhkwQShbDGc8ijlFY0WnI.exe"2⤵
- Executes dropped EXE
PID:764
-
-
C:\Users\Admin\Documents\faxrjd4El9M8ISscDaJMq0_C.exe"C:\Users\Admin\Documents\faxrjd4El9M8ISscDaJMq0_C.exe"2⤵PID:1100
-
-
C:\Users\Admin\Documents\rPizQkrcfvpyGPNxZkGNSwR0.exe"C:\Users\Admin\Documents\rPizQkrcfvpyGPNxZkGNSwR0.exe"2⤵
- Executes dropped EXE
PID:1244
-
-
C:\Users\Admin\Documents\tRecm8SdTaFX42EMrOaXJoxo.exe"C:\Users\Admin\Documents\tRecm8SdTaFX42EMrOaXJoxo.exe"2⤵
- Executes dropped EXE
PID:1560
-
-
C:\Users\Admin\Documents\gWoabDP1RCIYrtY5YPLBPAuK.exe"C:\Users\Admin\Documents\gWoabDP1RCIYrtY5YPLBPAuK.exe"2⤵
- Executes dropped EXE
PID:1064
-
-
C:\Users\Admin\Documents\06dWaP1K2FnQUy6bfOZ7wPSP.exe"C:\Users\Admin\Documents\06dWaP1K2FnQUy6bfOZ7wPSP.exe"2⤵PID:1648
-
-
C:\Users\Admin\Documents\CwLh6oe44WZB5d60bk4couOW.exe"C:\Users\Admin\Documents\CwLh6oe44WZB5d60bk4couOW.exe"2⤵PID:2044
-
-
C:\Users\Admin\Documents\l5HfL8Oi3HpjquV86CSHDlZn.exe"C:\Users\Admin\Documents\l5HfL8Oi3HpjquV86CSHDlZn.exe"2⤵PID:1952
-
-
C:\Users\Admin\Documents\3hW4JL0EIAVzBuOd8jhnmKF0.exe"C:\Users\Admin\Documents\3hW4JL0EIAVzBuOd8jhnmKF0.exe"2⤵PID:1312
-
-
C:\Users\Admin\Documents\s2S6V8o_sEqPndl5NMSJeyz7.exe"C:\Users\Admin\Documents\s2S6V8o_sEqPndl5NMSJeyz7.exe"2⤵PID:1976
-
-
C:\Users\Admin\Documents\6Jb1qOpnNayT8ja9jeyPUBXi.exe"C:\Users\Admin\Documents\6Jb1qOpnNayT8ja9jeyPUBXi.exe"2⤵PID:1604
-
-
C:\Users\Admin\Documents\mo_wRuwu5b1jvMStngdQnMa1.exe"C:\Users\Admin\Documents\mo_wRuwu5b1jvMStngdQnMa1.exe"2⤵PID:2144
-
C:\Users\Admin\Documents\mo_wRuwu5b1jvMStngdQnMa1.exe"C:\Users\Admin\Documents\mo_wRuwu5b1jvMStngdQnMa1.exe"3⤵PID:2416
-
-
-
C:\Users\Admin\Documents\Uui5OdUPlPzIDg9myAAi2SC4.exe"C:\Users\Admin\Documents\Uui5OdUPlPzIDg9myAAi2SC4.exe"2⤵PID:2228
-
-
C:\Users\Admin\Documents\w2NOdeIbvyB5OJUROrKhamB7.exe"C:\Users\Admin\Documents\w2NOdeIbvyB5OJUROrKhamB7.exe"2⤵PID:2208
-