Overview

overview

10

Static

static

Setup (1).exe

windows7_x64

10

Setup (1).exe

windows10_x64

10

Setup (10).exe

windows7_x64

10

Setup (10).exe

windows10_x64

10

Setup (11).exe

windows7_x64

10

Setup (11).exe

windows10_x64

10

Setup (12).exe

windows7_x64

10

Setup (12).exe

windows10_x64

10

Setup (13).exe

windows7_x64

10

Setup (13).exe

windows10_x64

10

Setup (14).exe

windows7_x64

10

Setup (14).exe

windows10_x64

10

Setup (15).exe

windows7_x64

10

Setup (15).exe

windows10_x64

10

Setup (16).exe

windows7_x64

10

Setup (16).exe

windows10_x64

10

Setup (17).exe

windows7_x64

10

Setup (17).exe

windows10_x64

10

Setup (18).exe

windows7_x64

10

Setup (18).exe

windows10_x64

10

Setup (19).exe

windows7_x64

10

Setup (19).exe

windows10_x64

10

Setup (2).exe

windows7_x64

10

Setup (2).exe

windows10_x64

10

Setup (20).exe

windows7_x64

10

Setup (20).exe

windows10_x64

10

Setup (21).exe

windows7_x64

10

Setup (21).exe

windows10_x64

10

Setup (22).exe

windows7_x64

10

Setup (22).exe

windows10_x64

10

Setup (23).exe

windows7_x64

10

Setup (23).exe

windows10_x64

10

Resubmissions

15-10-2024 15:36

241015-s1zlzasdkc 10

01-07-2024 18:32

240701-w6yteawhmq 10

01-07-2024 14:52

240701-r82wmaxdnd 10

01-07-2024 14:52

240701-r8syqa1dpp 10

11-03-2024 21:22

240311-z8dsssgg58 10

01-09-2021 13:18

210901-5bmxjspa5s 10

01-09-2021 13:04

210901-te4btfspqa 10

01-09-2021 05:12

210901-4wnkwm1p3j 10

31-08-2021 21:47

210831-41rp97dma2 10

31-08-2021 19:51

210831-359awwatje 10

Analysis

  • max time kernel
    1794s
  • max time network
    1835s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    31-08-2021 19:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Setup (22).exe

  • Size

    631KB

  • MD5

    cb927513ff8ebff4dd52a47f7e42f934

  • SHA1

    0de47c02a8adc4940a6c18621b4e4a619641d029

  • SHA256

    fd5c970806fba1500cbb6af5328329aeb43b8de3f02d90ec5d8cd1d57711622f

  • SHA512

    988c8fd886a9155b7d190faf2ce6b34d910efcffcf1c6251f18a9d0c804a0ea26a89679273033ac98b200363c536426efd1ae9de445c34e660369abb06f0071c

Score
10/10
redline131.08spnewportspectrdiscoveryevasioninfostealerspywarestealerthemidatrojan

Malware Config

Extracted

Family

redline

Botnet

1

C2

37.0.8.88:44263

Extracted

Family

redline

Botnet

31.08

C2

95.181.152.47:15089

Extracted

Family

redline

Botnet

spnewportspectr

C2

135.148.139.222:1594

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 7 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
    evasion
  • Downloads MZ/PE file
  • Executes dropped EXE 33 IoCs
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 41 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Themida packer 11 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 3 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies system certificate store 2 TTPs 7 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Setup (22).exe
    "C:\Users\Admin\AppData\Local\Temp\Setup (22).exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2028
    • C:\Users\Admin\Documents\XObEuV_0NjVeM4QWw6ZR2x0s.exe
      "C:\Users\Admin\Documents\XObEuV_0NjVeM4QWw6ZR2x0s.exe"
      2⤵
      • Executes dropped EXE
      PID:880
    • C:\Users\Admin\Documents\2ibk8bMF5yYPSsEHZacCgJ31.exe
      "C:\Users\Admin\Documents\2ibk8bMF5yYPSsEHZacCgJ31.exe"
      2⤵
      • Executes dropped EXE
      • Checks BIOS information in registry
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
    • C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe
      "C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:508
      • C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe
        "C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe"
        3⤵
        • Executes dropped EXE
        PID:628
      • C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe
        "C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe"
        3⤵
        • Executes dropped EXE
        PID:2460
      • C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe
        "C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe"
        3⤵
        • Executes dropped EXE
        PID:3032
      • C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe
        "C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe"
        3⤵
        • Executes dropped EXE
        PID:2084
      • C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe
        "C:\Users\Admin\Documents\4ITlhcc1e5J4kZacgoEXIvh6.exe"
        3⤵
        • Executes dropped EXE
        PID:2872
    • C:\Users\Admin\Documents\Sl4MjhIOl7oOFVGc92iif3xt.exe
      "C:\Users\Admin\Documents\Sl4MjhIOl7oOFVGc92iif3xt.exe"
      2⤵
      • Executes dropped EXE
      PID:984
    • C:\Users\Admin\Documents\NvZhU668MYXMPb1NSz_7vyg1.exe
      "C:\Users\Admin\Documents\NvZhU668MYXMPb1NSz_7vyg1.exe"
      2⤵
      • Executes dropped EXE
      PID:1772
    • C:\Users\Admin\Documents\F5I4nskzfS6SPUVOnnVvRZup.exe
      "C:\Users\Admin\Documents\F5I4nskzfS6SPUVOnnVvRZup.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      PID:824
      • C:\Users\Admin\Documents\F5I4nskzfS6SPUVOnnVvRZup.exe
        C:\Users\Admin\Documents\F5I4nskzfS6SPUVOnnVvRZup.exe
        3⤵
        • Executes dropped EXE
        PID:2692
      • C:\Users\Admin\Documents\F5I4nskzfS6SPUVOnnVvRZup.exe
        C:\Users\Admin\Documents\F5I4nskzfS6SPUVOnnVvRZup.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3064
      • C:\Users\Admin\Documents\F5I4nskzfS6SPUVOnnVvRZup.exe
        C:\Users\Admin\Documents\F5I4nskzfS6SPUVOnnVvRZup.exe
        3⤵
          PID:2936
      • C:\Users\Admin\Documents\xk02GeCqSDeJQ6swfc59l3xr.exe
        "C:\Users\Admin\Documents\xk02GeCqSDeJQ6swfc59l3xr.exe"
        2⤵
        • Executes dropped EXE
        PID:916
      • C:\Users\Admin\Documents\fRodzUzU6Qd6o9GZhcP8JCGu.exe
        "C:\Users\Admin\Documents\fRodzUzU6Qd6o9GZhcP8JCGu.exe"
        2⤵
        • Executes dropped EXE
        PID:980
      • C:\Users\Admin\Documents\zKgrcb0EIKIIafuI6xSI4Pmo.exe
        "C:\Users\Admin\Documents\zKgrcb0EIKIIafuI6xSI4Pmo.exe"
        2⤵
        • Executes dropped EXE
        • Modifies system certificate store
        PID:2016
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{4LBl-P41Ds-TqHY-qNm0j}\32103348435.exe"
          3⤵
          • Loads dropped DLL
          PID:2948
          • C:\Users\Admin\AppData\Local\Temp\{4LBl-P41Ds-TqHY-qNm0j}\32103348435.exe
            "C:\Users\Admin\AppData\Local\Temp\{4LBl-P41Ds-TqHY-qNm0j}\32103348435.exe"
            4⤵
            • Executes dropped EXE
            PID:2056
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{4LBl-P41Ds-TqHY-qNm0j}\52970054678.exe" /mix
          3⤵
          • Loads dropped DLL
          PID:1368
          • C:\Users\Admin\AppData\Local\Temp\{4LBl-P41Ds-TqHY-qNm0j}\52970054678.exe
            "C:\Users\Admin\AppData\Local\Temp\{4LBl-P41Ds-TqHY-qNm0j}\52970054678.exe" /mix
            4⤵
            • Executes dropped EXE
            • Checks processor information in registry
            PID:2440
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c taskkill /im "zKgrcb0EIKIIafuI6xSI4Pmo.exe" /f & erase "C:\Users\Admin\Documents\zKgrcb0EIKIIafuI6xSI4Pmo.exe" & exit
          3⤵
            PID:2380
            • C:\Windows\SysWOW64\taskkill.exe
              taskkill /im "zKgrcb0EIKIIafuI6xSI4Pmo.exe" /f
              4⤵
              • Kills process with taskkill
              • Suspicious use of AdjustPrivilegeToken
              PID:2788
        • C:\Users\Admin\Documents\pEH4PzJeCNDaWA2LluQedLCp.exe
          "C:\Users\Admin\Documents\pEH4PzJeCNDaWA2LluQedLCp.exe"
          2⤵
            PID:840
          • C:\Users\Admin\Documents\VDdDr2fAl0GCa1cCFOl15DxP.exe
            "C:\Users\Admin\Documents\VDdDr2fAl0GCa1cCFOl15DxP.exe"
            2⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            PID:1728
            • C:\Users\Admin\Documents\VDdDr2fAl0GCa1cCFOl15DxP.exe
              C:\Users\Admin\Documents\VDdDr2fAl0GCa1cCFOl15DxP.exe
              3⤵
                PID:2700
            • C:\Users\Admin\Documents\a8vNWGbygosrngLOngEb1PLO.exe
              "C:\Users\Admin\Documents\a8vNWGbygosrngLOngEb1PLO.exe"
              2⤵
              • Executes dropped EXE
              PID:1328
            • C:\Users\Admin\Documents\VBR1HIUqtoFgwqLAZLiYZTb6.exe
              "C:\Users\Admin\Documents\VBR1HIUqtoFgwqLAZLiYZTb6.exe"
              2⤵
                PID:968
              • C:\Users\Admin\Documents\0i_ENcezKIVAbydvInbExLcr.exe
                "C:\Users\Admin\Documents\0i_ENcezKIVAbydvInbExLcr.exe"
                2⤵
                • Executes dropped EXE
                PID:1400
                • C:\Program Files (x86)\Company\NewProduct\inst001.exe
                  "C:\Program Files (x86)\Company\NewProduct\inst001.exe"
                  3⤵
                    PID:2816
                  • C:\Program Files (x86)\Company\NewProduct\cutm3.exe
                    "C:\Program Files (x86)\Company\NewProduct\cutm3.exe"
                    3⤵
                      PID:2824
                    • C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe
                      "C:\Program Files (x86)\Company\NewProduct\md8_8eus.exe"
                      3⤵
                        PID:2876
                    • C:\Users\Admin\Documents\k9UAM_uKJYUudBmWACOHaNe6.exe
                      "C:\Users\Admin\Documents\k9UAM_uKJYUudBmWACOHaNe6.exe"
                      2⤵
                      • Executes dropped EXE
                      PID:2036
                    • C:\Users\Admin\Documents\yNanRaiZq4ANmKCXsDc2eA7Y.exe
                      "C:\Users\Admin\Documents\yNanRaiZq4ANmKCXsDc2eA7Y.exe"
                      2⤵
                      • Executes dropped EXE
                      PID:1824
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{E6Qx-hgXkW-hIQH-RYcxl}\59650447732.exe"
                        3⤵
                        • Loads dropped DLL
                        PID:2960
                        • C:\Users\Admin\AppData\Local\Temp\{E6Qx-hgXkW-hIQH-RYcxl}\59650447732.exe
                          "C:\Users\Admin\AppData\Local\Temp\{E6Qx-hgXkW-hIQH-RYcxl}\59650447732.exe"
                          4⤵
                          • Executes dropped EXE
                          • Checks BIOS information in registry
                          • Checks whether UAC is enabled
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          PID:936
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{E6Qx-hgXkW-hIQH-RYcxl}\19401104374.exe" /mix
                        3⤵
                        • Loads dropped DLL
                        PID:2280
                        • C:\Users\Admin\AppData\Local\Temp\{E6Qx-hgXkW-hIQH-RYcxl}\19401104374.exe
                          "C:\Users\Admin\AppData\Local\Temp\{E6Qx-hgXkW-hIQH-RYcxl}\19401104374.exe" /mix
                          4⤵
                          • Executes dropped EXE
                          • Checks processor information in registry
                          PID:1416
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c taskkill /im "yNanRaiZq4ANmKCXsDc2eA7Y.exe" /f & erase "C:\Users\Admin\Documents\yNanRaiZq4ANmKCXsDc2eA7Y.exe" & exit
                        3⤵
                          PID:1756
                          • C:\Windows\SysWOW64\taskkill.exe
                            taskkill /im "yNanRaiZq4ANmKCXsDc2eA7Y.exe" /f
                            4⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2888
                      • C:\Users\Admin\Documents\9vnFBUfEcHu6eGRs2_Iiz1Nh.exe
                        "C:\Users\Admin\Documents\9vnFBUfEcHu6eGRs2_Iiz1Nh.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:1916
                      • C:\Users\Admin\Documents\czamVW68ZibRGKTTvu4clLWS.exe
                        "C:\Users\Admin\Documents\czamVW68ZibRGKTTvu4clLWS.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:848
                      • C:\Users\Admin\Documents\68lMl333gBhKp9MyTB07uyOd.exe
                        "C:\Users\Admin\Documents\68lMl333gBhKp9MyTB07uyOd.exe"
                        2⤵
                        • Executes dropped EXE
                        • Checks BIOS information in registry
                        • Checks whether UAC is enabled
                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                        PID:1948
                      • C:\Users\Admin\Documents\uucUETaVGXpVhvODWbTShNS1.exe
                        "C:\Users\Admin\Documents\uucUETaVGXpVhvODWbTShNS1.exe"
                        2⤵
                        • Executes dropped EXE
                        PID:2060
                      • C:\Users\Admin\Documents\BO7ddKC6Ud8FM8IwbbsPlnhb.exe
                        "C:\Users\Admin\Documents\BO7ddKC6Ud8FM8IwbbsPlnhb.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1700
                        • C:\Users\Admin\Documents\BO7ddKC6Ud8FM8IwbbsPlnhb.exe
                          "C:\Users\Admin\Documents\BO7ddKC6Ud8FM8IwbbsPlnhb.exe"
                          3⤵
                          • Executes dropped EXE
                          • Modifies data under HKEY_USERS
                          PID:2136
                      • C:\Users\Admin\Documents\pLhIUd01oDBT5zGR1L3FpRQK.exe
                        "C:\Users\Admin\Documents\pLhIUd01oDBT5zGR1L3FpRQK.exe"
                        2⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        PID:1588
                        • C:\Users\Admin\Documents\pLhIUd01oDBT5zGR1L3FpRQK.exe
                          C:\Users\Admin\Documents\pLhIUd01oDBT5zGR1L3FpRQK.exe
                          3⤵
                            PID:2000
                        • C:\Users\Admin\Documents\sbZCvrJAEGhBG4SfuWxoHX2S.exe
                          "C:\Users\Admin\Documents\sbZCvrJAEGhBG4SfuWxoHX2S.exe"
                          2⤵
                          • Executes dropped EXE
                          PID:1596
                          • C:\Windows\SysWOW64\WerFault.exe
                            C:\Windows\SysWOW64\WerFault.exe -u -p 1596 -s 1284
                            3⤵
                            • Loads dropped DLL
                            • Program crash
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious behavior: GetForegroundWindowSpam
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2724

                      Network

                      MITRE ATT&CK Enterprise v6

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • memory/508-212-0x00000000048A0000-0x00000000048F8000-memory.dmp

                        Filesize

                        352KB

                        Download

                      • memory/508-211-0x0000000000980000-0x00000000009CD000-memory.dmp

                        Filesize

                        308KB

                        Download

                      • memory/508-209-0x00000000006C0000-0x00000000006D6000-memory.dmp

                        Filesize

                        88KB

                        Download

                      • memory/508-213-0x0000000000E00000-0x0000000000E27000-memory.dmp

                        Filesize

                        156KB

                        Download

                      • memory/508-156-0x0000000000120000-0x0000000000121000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/508-172-0x0000000000B70000-0x0000000000B71000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/824-157-0x0000000001190000-0x0000000001191000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/848-146-0x0000000000260000-0x0000000000261000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/916-160-0x0000000000930000-0x0000000000931000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/936-217-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1016-171-0x0000000000290000-0x0000000000291000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1588-159-0x0000000000A10000-0x0000000000A11000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1728-158-0x00000000012C0000-0x00000000012C1000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1824-169-0x0000000000400000-0x0000000001D81000-memory.dmp

                        Filesize

                        25.5MB

                        Download

                      • memory/1824-154-0x00000000003A0000-0x00000000003CF000-memory.dmp

                        Filesize

                        188KB

                        Download

                      • memory/1948-175-0x0000000000C60000-0x0000000000C61000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2000-202-0x0000000000400000-0x0000000000422000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2016-168-0x0000000000400000-0x0000000000534000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/2016-162-0x0000000000220000-0x000000000024F000-memory.dmp

                        Filesize

                        188KB

                        Download

                      • memory/2028-60-0x00000000760B1000-0x00000000760B3000-memory.dmp

                        Filesize

                        8KB

                        Download

                      • memory/2028-61-0x0000000003C40000-0x0000000003D7F000-memory.dmp

                        Filesize

                        1.2MB

                        Download

                      • memory/2060-155-0x0000000000B00000-0x0000000000B01000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/2692-199-0x0000000000400000-0x0000000000422000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2692-177-0x0000000000400000-0x0000000000422000-memory.dmp

                        Filesize

                        136KB

                        Download

                      • memory/2700-176-0x0000000000400000-0x000000000044A000-memory.dmp

                        Filesize

                        296KB

                        Download