Analysis
-
max time kernel
6s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
24-08-2021 04:56
General
-
Target
A56C0274E6EA9BD32141634A92052D91.exe
-
Size
4.1MB
-
MD5
a56c0274e6ea9bd32141634a92052d91
-
SHA1
0f69b4fcbda90184075b84d12217abbd0c07d704
-
SHA256
4d6904b252c292f5aefe176877720e6e8520c977c9f27ba46c92e5a0b6796016
-
SHA512
c21c368a8d9e59b61ddb409958b071f206bc1c10e42b1a378a6b32b01fa4a9e107d1b840a0351a2ef3c787881e87d842ae12bd4c49050feb2dab5c7247088526
Score
10/10
Malware Config
Extracted
Family
redline
Botnet
pub1
C2
viacetequn.site:80
Extracted
Family
vidar
Version
40.1
Botnet
706
C2
https://eduarroma.tumblr.com/
Attributes
-
profile_id
706
Extracted
Family
smokeloader
Version
2020
C2
http://aucmoney.com/upload/
http://thegymmum.com/upload/
http://atvcampingtrips.com/upload/
http://kuapakualaman.com/upload/
http://renatazarazua.com/upload/
http://nasufmutlu.com/upload/
rc4.i32
rc4.i32
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar Stealer 1 IoCs
-
ASPack v2.12-2.42 7 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 8 IoCs
-
Themida packer 6 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\A56C0274E6EA9BD32141634A92052D91.exe"C:\Users\Admin\AppData\Local\Temp\A56C0274E6EA9BD32141634A92052D91.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS04F20934\setup_install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri17e57b57304ad6467.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri17e57b57304ad6467.exeFri17e57b57304ad6467.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri17e57b57304ad6467.exe"C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri17e57b57304ad6467.exe" -a5⤵
- Executes dropped EXE
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri17935370d9f965.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri17935370d9f965.exeFri17935370d9f965.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri17f148864b7f11.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri17f148864b7f11.exeFri17f148864b7f11.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri17c3ec4b03a0d8e6.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri17c3ec4b03a0d8e6.exeFri17c3ec4b03a0d8e6.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3448 -s 7685⤵
- Program crash
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri1743bf1fe022.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri1743bf1fe022.exeFri1743bf1fe022.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\Documents\tALY2fAko2mV_KEBmU2wo8Zd.exe"C:\Users\Admin\Documents\tALY2fAko2mV_KEBmU2wo8Zd.exe"5⤵
-
-
C:\Users\Admin\Documents\_iOz7r_OjBTOIL4TIGlkSfMF.exe"C:\Users\Admin\Documents\_iOz7r_OjBTOIL4TIGlkSfMF.exe"5⤵
-
-
C:\Users\Admin\Documents\ymPL7X1BWgF78CAwcdl13mPL.exe"C:\Users\Admin\Documents\ymPL7X1BWgF78CAwcdl13mPL.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
-
-
C:\Users\Admin\Documents\h_kkjott82XPtU_bVCu99pLp.exe"C:\Users\Admin\Documents\h_kkjott82XPtU_bVCu99pLp.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\Documents\dIek_68lg3Zy8rs7IyYZHnZ6.exe"C:\Users\Admin\Documents\dIek_68lg3Zy8rs7IyYZHnZ6.exe"5⤵
-
-
C:\Users\Admin\Documents\aFALIvGfNg6UqFPzK3QZj0iz.exe"C:\Users\Admin\Documents\aFALIvGfNg6UqFPzK3QZj0iz.exe"5⤵
-
-
C:\Users\Admin\Documents\tdi7WkkGerW4gVpPg3Bnhsd9.exe"C:\Users\Admin\Documents\tdi7WkkGerW4gVpPg3Bnhsd9.exe"5⤵
-
-
C:\Users\Admin\Documents\ocFuWUz9XRlOFAxMUjMv70m4.exe"C:\Users\Admin\Documents\ocFuWUz9XRlOFAxMUjMv70m4.exe"5⤵
-
-
C:\Users\Admin\Documents\OS4XBWi5zDcy8gv99nebrWvo.exe"C:\Users\Admin\Documents\OS4XBWi5zDcy8gv99nebrWvo.exe"5⤵
-
-
C:\Users\Admin\Documents\bXckbwmIxvONDbfrPrpq11R5.exe"C:\Users\Admin\Documents\bXckbwmIxvONDbfrPrpq11R5.exe"5⤵
-
-
C:\Users\Admin\Documents\Gy9wz7Yw_N5EWNRlYzultne6.exe"C:\Users\Admin\Documents\Gy9wz7Yw_N5EWNRlYzultne6.exe"5⤵
-
-
C:\Users\Admin\Documents\zP_DX3lpLhhMTl0OgCkL8vqY.exe"C:\Users\Admin\Documents\zP_DX3lpLhhMTl0OgCkL8vqY.exe"5⤵
-
-
C:\Users\Admin\Documents\PQeiNksCsd7OLiJAOFoQ9b0P.exe"C:\Users\Admin\Documents\PQeiNksCsd7OLiJAOFoQ9b0P.exe"5⤵
-
-
C:\Users\Admin\Documents\lM6axpCMJqUlM5tRdB27XCWc.exe"C:\Users\Admin\Documents\lM6axpCMJqUlM5tRdB27XCWc.exe"5⤵
-
-
C:\Users\Admin\Documents\pHqxK7MpFoxy2jGETjFLDJRV.exe"C:\Users\Admin\Documents\pHqxK7MpFoxy2jGETjFLDJRV.exe"5⤵
-
-
C:\Users\Admin\Documents\JELoPhVYmZapkQNV2jxnQZFq.exe"C:\Users\Admin\Documents\JELoPhVYmZapkQNV2jxnQZFq.exe"5⤵
-
-
C:\Users\Admin\Documents\PqNwUSlLcq7ieNlP_kZcZf9_.exe"C:\Users\Admin\Documents\PqNwUSlLcq7ieNlP_kZcZf9_.exe"5⤵
-
-
C:\Users\Admin\Documents\NPu4DKIaDMpuKIORpt1zfFb8.exe"C:\Users\Admin\Documents\NPu4DKIaDMpuKIORpt1zfFb8.exe"5⤵
-
-
C:\Users\Admin\Documents\criFjOh2Qslh90lUmz_eIuq_.exe"C:\Users\Admin\Documents\criFjOh2Qslh90lUmz_eIuq_.exe"5⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri17db701d83a67.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri17db701d83a67.exeFri17db701d83a67.exe4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri17384323b14.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri17384323b14.exeFri17384323b14.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\dllhost.exedllhost.exe5⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c cmd < Abbassero.wmv5⤵
-
C:\Windows\SysWOW64\cmd.execmd6⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VHwgFRxzxxLcwcGoqrvwdRkyDDkqmNLTpdmTOMvFsotvynnSaSEGawtrcWKeGzUGIRjLVNzgHQJiNPZttzIGotBijvbSexZYgbNhjNWFndZB$" Rugiada.wmv7⤵
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Piu.exe.comPiu.exe.com L7⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri17523e6b49e.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri17523e6b49e.exeFri17523e6b49e.exe4⤵
- Executes dropped EXE
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Fri17bbd34709019a06.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zS04F20934\Fri17bbd34709019a06.exeFri17bbd34709019a06.exe4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"C:\Users\Admin\AppData\Local\Temp\LzmwAqmV.exe"5⤵
-
C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"C:\Users\Admin\AppData\Local\Temp\Chrome3.exe"6⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services64" /tr '"C:\Users\Admin\AppData\Roaming\services64.exe"' & exit7⤵
-
-
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\3.exe"C:\Users\Admin\AppData\Local\Temp\3.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\4.exe"C:\Users\Admin\AppData\Local\Temp\4.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\5.exe"C:\Users\Admin\AppData\Local\Temp\5.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe"6⤵
-
-
C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"C:\Users\Admin\AppData\Local\Temp\BearVpn 3.exe"6⤵
-
-
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
8KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
912KB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
100KB
-
Filesize
152KB
-
Filesize
572KB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.5MB
-
Filesize
100KB
-
Filesize
1.2MB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40.8MB
-
Filesize
8KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
104KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
41.1MB
-
Filesize
1.3MB
-
Filesize
40.7MB
-
Filesize
36KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
112KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
8KB