Analysis
-
max time kernel
11s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
14-08-2021 00:00
General
-
Target
918769ECEACD168684DEF1B316FF3198.exe
-
Size
3.3MB
-
MD5
918769eceacd168684def1b316ff3198
-
SHA1
044df161143e5e5c255b4edea7199364703776ed
-
SHA256
6bc9c4e5a88eaa95550d066ff02f0d45b6bd2a93fbcb72b562c6c65ce06bb900
-
SHA512
b0f4dc956b8aeee77724d0424d6c5f8c5b7c503e184ef54caf9bb47bd509205e843d91784329327010726e73fc28140d63a7e461b61fe86278caa86fc4530a17
Score
10/10
Malware Config
Extracted
Family
vidar
Version
40
Botnet
706
C2
https://lenak513.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
smokeloader
Version
2020
C2
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
rc4.i32
rc4.i32
Extracted
Family
raccoon
Botnet
93d3ccba4a3cbd5e268873fc1760b2335272e198
Attributes
-
url4cnc
https://telete.in/opa4kiprivatem
rc4.plain
rc4.plain
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Raccoon
Simple but powerful infostealer which was very active in 2019.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Vidar Stealer 2 IoCs
-
ASPack v2.12-2.42 6 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
-
VMProtect packed file 7 IoCs
Detects executables packed with VMProtect commercial packer.
-
Loads dropped DLL 35 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\918769ECEACD168684DEF1B316FF3198.exe"C:\Users\Admin\AppData\Local\Temp\918769ECEACD168684DEF1B316FF3198.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 6eee9f336da6fcf1.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\6eee9f336da6fcf1.exe6eee9f336da6fcf1.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c98f61652.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\c98f61652.exec98f61652.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 9e27a03aab64665.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\9e27a03aab64665.exe9e27a03aab64665.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 14485⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c APPNAME33.exe3⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 01a389215e4.exe3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 1a693a205739887.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\1a693a205739887.exe1a693a205739887.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\1a693a205739887.exe"C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\1a693a205739887.exe" -a5⤵
- Executes dropped EXE
- Loads dropped DLL
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c efd22e6e99d7ee86.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\efd22e6e99d7ee86.exeefd22e6e99d7ee86.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 626c1e3ded0b288.exe3⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\626c1e3ded0b288.exe626c1e3ded0b288.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\6746545.exe"C:\Users\Admin\AppData\Roaming\6746545.exe"5⤵
-
-
C:\Users\Admin\AppData\Roaming\7862897.exe"C:\Users\Admin\AppData\Roaming\7862897.exe"5⤵
-
C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"6⤵
-
-
-
C:\Users\Admin\AppData\Roaming\8228776.exe"C:\Users\Admin\AppData\Roaming\8228776.exe"5⤵
-
-
C:\Users\Admin\AppData\Roaming\3717610.exe"C:\Users\Admin\AppData\Roaming\3717610.exe"5⤵
-
-
C:\Users\Admin\AppData\Roaming\2343990.exe"C:\Users\Admin\AppData\Roaming\2343990.exe"5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS834A40A4\01a389215e4.exe01a389215e4.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\Documents\Worb3DpoNUWyeRsiCfSRVtyT.exe"C:\Users\Admin\Documents\Worb3DpoNUWyeRsiCfSRVtyT.exe"2⤵
-
-
C:\Users\Admin\Documents\vgNLMM1avCtelx85_FDu4Pbb.exe"C:\Users\Admin\Documents\vgNLMM1avCtelx85_FDu4Pbb.exe"2⤵
-
-
C:\Users\Admin\Documents\4ymoRS51CDxhK0LksEI0j_g3.exe"C:\Users\Admin\Documents\4ymoRS51CDxhK0LksEI0j_g3.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\5604733.exe"C:\Users\Admin\AppData\Roaming\5604733.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\4220281.exe"C:\Users\Admin\AppData\Roaming\4220281.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\1368372.exe"C:\Users\Admin\AppData\Roaming\1368372.exe"3⤵
-
-
C:\Users\Admin\AppData\Roaming\1035798.exe"C:\Users\Admin\AppData\Roaming\1035798.exe"3⤵
-
-
-
C:\Users\Admin\Documents\QuiEfTNhbU_EmmaQ1HJaUXS3.exe"C:\Users\Admin\Documents\QuiEfTNhbU_EmmaQ1HJaUXS3.exe"2⤵
-
-
C:\Users\Admin\Documents\CIJT1AkWWBNRxn9EBfg_I1QI.exe"C:\Users\Admin\Documents\CIJT1AkWWBNRxn9EBfg_I1QI.exe"2⤵
-
C:\Users\Admin\Documents\CIJT1AkWWBNRxn9EBfg_I1QI.exeC:\Users\Admin\Documents\CIJT1AkWWBNRxn9EBfg_I1QI.exe3⤵
-
-
-
C:\Users\Admin\Documents\0oAT8upBeWTNXry9qkZJkYRB.exe"C:\Users\Admin\Documents\0oAT8upBeWTNXry9qkZJkYRB.exe"2⤵
-
-
C:\Users\Admin\Documents\_lfIxVjKqY7m3lSqrBz0mDWl.exe"C:\Users\Admin\Documents\_lfIxVjKqY7m3lSqrBz0mDWl.exe"2⤵
-
C:\Users\Admin\Documents\_lfIxVjKqY7m3lSqrBz0mDWl.exe"C:\Users\Admin\Documents\_lfIxVjKqY7m3lSqrBz0mDWl.exe"3⤵
-
-
-
C:\Users\Admin\Documents\MKUdbwKqR5zCyFq_0ILlOolq.exe"C:\Users\Admin\Documents\MKUdbwKqR5zCyFq_0ILlOolq.exe"2⤵
-
-
C:\Users\Admin\Documents\4B92Ae808Prjrc_zY8iOVlac.exe"C:\Users\Admin\Documents\4B92Ae808Prjrc_zY8iOVlac.exe"2⤵
-
-
C:\Users\Admin\Documents\fzox5TqjDYYFU5mQO1wan2qF.exe"C:\Users\Admin\Documents\fzox5TqjDYYFU5mQO1wan2qF.exe"2⤵
-
-
C:\Users\Admin\Documents\fKOkizjI12B3SB9ip1uYDpoM.exe"C:\Users\Admin\Documents\fKOkizjI12B3SB9ip1uYDpoM.exe"2⤵
-
-
C:\Users\Admin\Documents\3hTnrsZ1T2Zk0F073W4KGxIJ.exe"C:\Users\Admin\Documents\3hTnrsZ1T2Zk0F073W4KGxIJ.exe"2⤵
-
-
C:\Users\Admin\Documents\_7dpw_htaLsK_DtnQy_zAbOt.exe"C:\Users\Admin\Documents\_7dpw_htaLsK_DtnQy_zAbOt.exe"2⤵
-
-
C:\Users\Admin\Documents\0IQ9r18AMBWW5MWxCsNtKTfJ.exe"C:\Users\Admin\Documents\0IQ9r18AMBWW5MWxCsNtKTfJ.exe"2⤵
-
-
C:\Users\Admin\Documents\rBzjPaP8Ya11Hd3UEOktMKok.exe"C:\Users\Admin\Documents\rBzjPaP8Ya11Hd3UEOktMKok.exe"2⤵
-
-
C:\Users\Admin\Documents\dvn2VouERVg2LSU91aEljqR0.exe"C:\Users\Admin\Documents\dvn2VouERVg2LSU91aEljqR0.exe"2⤵
-
C:\Program Files (x86)\Company\NewProduct\customer3.exe"C:\Program Files (x86)\Company\NewProduct\customer3.exe"3⤵
-
-
-
C:\Users\Admin\Documents\0xCZLCMJl2fWwV9cN4IrYSls.exe"C:\Users\Admin\Documents\0xCZLCMJl2fWwV9cN4IrYSls.exe"2⤵
-
-
C:\Users\Admin\Documents\UPqk8H6_LMpuKeSsGQG79vbL.exe"C:\Users\Admin\Documents\UPqk8H6_LMpuKeSsGQG79vbL.exe"2⤵
-
-
C:\Users\Admin\Documents\RrHVL5SCCdcl3s7VOe2PB2nS.exe"C:\Users\Admin\Documents\RrHVL5SCCdcl3s7VOe2PB2nS.exe"2⤵
-
-
C:\Users\Admin\Documents\JCoboVC0Oqcsu7aOdsz1szNp.exe"C:\Users\Admin\Documents\JCoboVC0Oqcsu7aOdsz1szNp.exe"2⤵
-
-
C:\Users\Admin\Documents\pygR6qilyCPDscMNrjaAb8eI.exe"C:\Users\Admin\Documents\pygR6qilyCPDscMNrjaAb8eI.exe"2⤵
-
-
C:\Users\Admin\Documents\ZhH5z46TpxF_QFabyiJVKxCO.exe"C:\Users\Admin\Documents\ZhH5z46TpxF_QFabyiJVKxCO.exe"2⤵
-
-
C:\Users\Admin\Documents\Wrjo3hbJ1IwgjsfUYsDRy2oZ.exe"C:\Users\Admin\Documents\Wrjo3hbJ1IwgjsfUYsDRy2oZ.exe"2⤵
-
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global2⤵
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
40.8MB
-
Filesize
628KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
1.5MB
-
Filesize
152KB
-
Filesize
100KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
308KB
-
Filesize
464KB
-
Filesize
8KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
40.4MB
-
Filesize
36KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
3.3MB
-
Filesize
5.0MB
-
Filesize
36KB
-
Filesize
1.0MB
-
Filesize
380KB
-
Filesize
40KB
-
Filesize
5.3MB
-
Filesize
572KB
-
Filesize
464KB
-
Filesize
28KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
172KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
36KB