Analysis
-
max time kernel
14s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211104 -
submitted
21/11/2021, 15:16
Static task
static1
Behavioral task
behavioral1
Sample
b16504e25ef918a88c54371fea0e49aa.exe
Resource
win7-en-20211104
Behavioral task
behavioral2
Sample
b16504e25ef918a88c54371fea0e49aa.exe
Resource
win10-en-20211014
General
-
Target
b16504e25ef918a88c54371fea0e49aa.exe
-
Size
13.8MB
-
MD5
b16504e25ef918a88c54371fea0e49aa
-
SHA1
786cb7fa904b8c19c055b6a49527f7e9d907307a
-
SHA256
4066a70177c5b8a86458e8727efaa599b0de0e342fd709eec5d3b78ed066cd67
-
SHA512
7a549cf81e37f2c52ecd87b3827f99da8c3bc175a029c0387964a26005dd0fbc918de3261d1e3bd42104bc53eca16325817d85be60bd78688be16118e23ad102
Malware Config
Extracted
socelars
http://www.gianninidesign.com/
Extracted
metasploit
windows/single_exec
Extracted
smokeloader
2020
http://membro.at/upload/
http://jeevanpunetha.com/upload/
http://misipu.cn/upload/
http://zavodooo.ru/upload/
http://targiko.ru/upload/
http://vues3d.com/upload/
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2820 2500 rundll32.exe 74 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine Payload 2 IoCs
resource yara_rule behavioral1/memory/2604-273-0x0000000000418EFE-mapping.dmp family_redline behavioral1/memory/2612-276-0x0000000000418F06-mapping.dmp family_redline -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Socelars Payload 3 IoCs
resource yara_rule behavioral1/files/0x000600000001229a-169.dat family_socelars behavioral1/files/0x000600000001229a-161.dat family_socelars behavioral1/files/0x000600000001229a-108.dat family_socelars -
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
-
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin
-
resource yara_rule behavioral1/files/0x0006000000012220-71.dat aspack_v212_v242 behavioral1/files/0x000600000001221e-74.dat aspack_v212_v242 behavioral1/files/0x000600000001221e-73.dat aspack_v212_v242 behavioral1/files/0x0006000000012220-72.dat aspack_v212_v242 behavioral1/files/0x0006000000012228-77.dat aspack_v212_v242 behavioral1/files/0x0006000000012228-78.dat aspack_v212_v242 -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
pid Process 1124 setup_installer.exe 1932 setup_install.exe 892 Wed0534fdcb003d1e565.exe 572 Wed058cca47ea86cc0b.exe 360 Wed05530159d4f285214.exe 1168 Wed058c3464dcf6606b1.exe 1072 Wed055e29ac05f0e14.exe 1680 Wed05ecd67738969.exe 884 Wed05cb54d5272ed03.exe 1448 Wed05c754f5b2a7ed96.exe -
Loads dropped DLL 36 IoCs
pid Process 548 b16504e25ef918a88c54371fea0e49aa.exe 1124 setup_installer.exe 1124 setup_installer.exe 1124 setup_installer.exe 1124 setup_installer.exe 1124 setup_installer.exe 1124 setup_installer.exe 1932 setup_install.exe 1932 setup_install.exe 1932 setup_install.exe 1932 setup_install.exe 1932 setup_install.exe 1932 setup_install.exe 1932 setup_install.exe 1932 setup_install.exe 284 cmd.exe 284 cmd.exe 1328 cmd.exe 1328 cmd.exe 1952 cmd.exe 892 Wed0534fdcb003d1e565.exe 892 Wed0534fdcb003d1e565.exe 568 cmd.exe 1980 cmd.exe 1884 cmd.exe 1732 cmd.exe 360 Wed05530159d4f285214.exe 360 Wed05530159d4f285214.exe 1168 Wed058c3464dcf6606b1.exe 1168 Wed058c3464dcf6606b1.exe 572 Wed058cca47ea86cc0b.exe 572 Wed058cca47ea86cc0b.exe 1072 Wed055e29ac05f0e14.exe 1072 Wed055e29ac05f0e14.exe 948 cmd.exe 1724 cmd.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 13 ip-api.com 44 ipinfo.io 45 ipinfo.io -
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2228 360 WerFault.exe 66 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed0534fdcb003d1e565.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed0534fdcb003d1e565.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI Wed0534fdcb003d1e565.exe -
Kills process with taskkill 2 IoCs
pid Process 2480 taskkill.exe 2656 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 892 Wed0534fdcb003d1e565.exe 892 Wed0534fdcb003d1e565.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 548 wrote to memory of 1124 548 b16504e25ef918a88c54371fea0e49aa.exe 28 PID 548 wrote to memory of 1124 548 b16504e25ef918a88c54371fea0e49aa.exe 28 PID 548 wrote to memory of 1124 548 b16504e25ef918a88c54371fea0e49aa.exe 28 PID 548 wrote to memory of 1124 548 b16504e25ef918a88c54371fea0e49aa.exe 28 PID 548 wrote to memory of 1124 548 b16504e25ef918a88c54371fea0e49aa.exe 28 PID 548 wrote to memory of 1124 548 b16504e25ef918a88c54371fea0e49aa.exe 28 PID 548 wrote to memory of 1124 548 b16504e25ef918a88c54371fea0e49aa.exe 28 PID 1124 wrote to memory of 1932 1124 setup_installer.exe 29 PID 1124 wrote to memory of 1932 1124 setup_installer.exe 29 PID 1124 wrote to memory of 1932 1124 setup_installer.exe 29 PID 1124 wrote to memory of 1932 1124 setup_installer.exe 29 PID 1124 wrote to memory of 1932 1124 setup_installer.exe 29 PID 1124 wrote to memory of 1932 1124 setup_installer.exe 29 PID 1124 wrote to memory of 1932 1124 setup_installer.exe 29 PID 1932 wrote to memory of 1216 1932 setup_install.exe 31 PID 1932 wrote to memory of 1216 1932 setup_install.exe 31 PID 1932 wrote to memory of 1216 1932 setup_install.exe 31 PID 1932 wrote to memory of 1216 1932 setup_install.exe 31 PID 1932 wrote to memory of 1216 1932 setup_install.exe 31 PID 1932 wrote to memory of 1216 1932 setup_install.exe 31 PID 1932 wrote to memory of 1216 1932 setup_install.exe 31 PID 1932 wrote to memory of 1320 1932 setup_install.exe 32 PID 1932 wrote to memory of 1320 1932 setup_install.exe 32 PID 1932 wrote to memory of 1320 1932 setup_install.exe 32 PID 1932 wrote to memory of 1320 1932 setup_install.exe 32 PID 1932 wrote to memory of 1320 1932 setup_install.exe 32 PID 1932 wrote to memory of 1320 1932 setup_install.exe 32 PID 1932 wrote to memory of 1320 1932 setup_install.exe 32 PID 1216 wrote to memory of 1332 1216 cmd.exe 33 PID 1216 wrote to memory of 1332 1216 cmd.exe 33 PID 1216 wrote to memory of 1332 1216 cmd.exe 33 PID 1216 wrote to memory of 1332 1216 cmd.exe 33 PID 1216 wrote to memory of 1332 1216 cmd.exe 33 PID 1216 wrote to memory of 1332 1216 cmd.exe 33 PID 1216 wrote to memory of 1332 1216 cmd.exe 33 PID 1320 wrote to memory of 1452 1320 cmd.exe 35 PID 1320 wrote to memory of 1452 1320 cmd.exe 35 PID 1320 wrote to memory of 1452 1320 cmd.exe 35 PID 1320 wrote to memory of 1452 1320 cmd.exe 35 PID 1320 wrote to memory of 1452 1320 cmd.exe 35 PID 1320 wrote to memory of 1452 1320 cmd.exe 35 PID 1320 wrote to memory of 1452 1320 cmd.exe 35 PID 1932 wrote to memory of 1980 1932 setup_install.exe 34 PID 1932 wrote to memory of 1980 1932 setup_install.exe 34 PID 1932 wrote to memory of 1980 1932 setup_install.exe 34 PID 1932 wrote to memory of 1980 1932 setup_install.exe 34 PID 1932 wrote to memory of 1980 1932 setup_install.exe 34 PID 1932 wrote to memory of 1980 1932 setup_install.exe 34 PID 1932 wrote to memory of 1980 1932 setup_install.exe 34 PID 1932 wrote to memory of 284 1932 setup_install.exe 36 PID 1932 wrote to memory of 284 1932 setup_install.exe 36 PID 1932 wrote to memory of 284 1932 setup_install.exe 36 PID 1932 wrote to memory of 284 1932 setup_install.exe 36 PID 1932 wrote to memory of 284 1932 setup_install.exe 36 PID 1932 wrote to memory of 284 1932 setup_install.exe 36 PID 1932 wrote to memory of 284 1932 setup_install.exe 36 PID 1932 wrote to memory of 1732 1932 setup_install.exe 37 PID 1932 wrote to memory of 1732 1932 setup_install.exe 37 PID 1932 wrote to memory of 1732 1932 setup_install.exe 37 PID 1932 wrote to memory of 1732 1932 setup_install.exe 37 PID 1932 wrote to memory of 1732 1932 setup_install.exe 37 PID 1932 wrote to memory of 1732 1932 setup_install.exe 37 PID 1932 wrote to memory of 1732 1932 setup_install.exe 37 PID 1932 wrote to memory of 1952 1932 setup_install.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\b16504e25ef918a88c54371fea0e49aa.exe"C:\Users\Admin\AppData\Local\Temp\b16504e25ef918a88c54371fea0e49aa.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\setup_install.exe"C:\Users\Admin\AppData\Local\Temp\7zS464510D5\setup_install.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable4⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disable5⤵PID:1332
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"4⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"5⤵PID:1452
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05ecd67738969.exe4⤵
- Loads dropped DLL
PID:1980 -
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05ecd67738969.exeWed05ecd67738969.exe5⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe6⤵PID:2620
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe7⤵
- Kills process with taskkill
PID:2656
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0534fdcb003d1e565.exe4⤵
- Loads dropped DLL
PID:284 -
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed0534fdcb003d1e565.exeWed0534fdcb003d1e565.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:892
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05c754f5b2a7ed96.exe4⤵
- Loads dropped DLL
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05c754f5b2a7ed96.exeWed05c754f5b2a7ed96.exe5⤵
- Executes dropped EXE
PID:1448 -
C:\Users\Admin\AppData\Local\Temp\is-6FBKR.tmp\Wed05c754f5b2a7ed96.tmp"C:\Users\Admin\AppData\Local\Temp\is-6FBKR.tmp\Wed05c754f5b2a7ed96.tmp" /SL5="$10164,1104945,831488,C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05c754f5b2a7ed96.exe"6⤵PID:2104
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05530159d4f285214.exe4⤵
- Loads dropped DLL
PID:1952 -
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05530159d4f285214.exeWed05530159d4f285214.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:360 -
C:\Users\Admin\Pictures\Adobe Films\hUh13tCBfm__2vh7MhWlI63i.exe"C:\Users\Admin\Pictures\Adobe Films\hUh13tCBfm__2vh7MhWlI63i.exe"6⤵PID:3032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 360 -s 14966⤵
- Program crash
PID:2228
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed055e29ac05f0e14.exe4⤵
- Loads dropped DLL
PID:1884 -
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed055e29ac05f0e14.exeWed055e29ac05f0e14.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Users\Admin\AppData\Local\Temp\is-19245.tmp\Wed055e29ac05f0e14.tmp"C:\Users\Admin\AppData\Local\Temp\is-19245.tmp\Wed055e29ac05f0e14.tmp" /SL5="$70152,140785,56832,C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed055e29ac05f0e14.exe"6⤵PID:1720
-
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed055e29ac05f0e14.exe"C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed055e29ac05f0e14.exe" /SILENT7⤵PID:2056
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed058c3464dcf6606b1.exe4⤵
- Loads dropped DLL
PID:568 -
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed058c3464dcf6606b1.exeWed058c3464dcf6606b1.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed058cca47ea86cc0b.exe4⤵
- Loads dropped DLL
PID:1328 -
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed058cca47ea86cc0b.exeWed058cca47ea86cc0b.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05cb54d5272ed03.exe4⤵
- Loads dropped DLL
PID:948 -
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05cb54d5272ed03.exeWed05cb54d5272ed03.exe5⤵
- Executes dropped EXE
PID:884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05572ff115815bed.exe4⤵
- Loads dropped DLL
PID:1724 -
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05572ff115815bed.exeWed05572ff115815bed.exe5⤵PID:964
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed059ecd633701f3.exe4⤵PID:860
-
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed059ecd633701f3.exeWed059ecd633701f3.exe5⤵PID:300
-
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed059ecd633701f3.exeC:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed059ecd633701f3.exe6⤵PID:2604
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05b5c2705a.exe4⤵PID:968
-
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05b5c2705a.exeWed05b5c2705a.exe5⤵PID:1548
-
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05b5c2705a.exe"C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05b5c2705a.exe"6⤵PID:992
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0504ce1fce545657.exe4⤵PID:1972
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed0507640eb5b.exe4⤵PID:1872
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed059a025cf2a.exe4⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed059a025cf2a.exeWed059a025cf2a.exe5⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed059a025cf2a.exeC:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed059a025cf2a.exe6⤵PID:2612
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c Wed05c770a4470c.exe /mixtwo4⤵PID:1608
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05c770a4470c.exeWed05c770a4470c.exe /mixtwo1⤵PID:1192
-
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05c770a4470c.exeWed05c770a4470c.exe /mixtwo2⤵PID:1756
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "Wed05c770a4470c.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed05c770a4470c.exe" & exit3⤵PID:2444
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im "Wed05c770a4470c.exe" /f4⤵
- Kills process with taskkill
PID:2480
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed058cca47ea86cc0b.exe"C:\Users\Admin\AppData\Local\Temp\7zS464510D5\Wed058cca47ea86cc0b.exe" -u1⤵PID:1536
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-97487681210869245971998247865-82461934-19493775528922442781294593980544010642"1⤵PID:1972
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵PID:2844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k SystemNetworkService1⤵PID:2932
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\sqlite.dll",global1⤵
- Process spawned unexpected child process
PID:2820
-
C:\Windows\system32\makecab.exe"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20211121151357.log C:\Windows\Logs\CBS\CbsPersist_20211121151357.cab1⤵PID:1340
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-5176396942134570193-797381602866525544-1034347109-1121301744-867375015-1692247425"1⤵PID:760